[lug] Re: LUG digest, Vol 1 #520 Re Message 1

Calvin Dodge caldodge at fpcc.net
Wed Sep 20 05:11:26 MDT 2000 

Alex Horan wrote:
> 
> I can ftp and put a file in place but I have not been able to find the file
> on another box. I can also change permissions on files using some remote
> administration tools. Does anyone have a file they can e-mail me (even one
> with a different name but the same function that I can edit??)
> alexhoran at hotmail.com.
> 
>  Someone has suggested to me that the box has been hacked as a sdc partition
> should start at 1 not 0 - unfortunately I am to new to Linux to be 100% sure
> about that. If this is the case can anyone suggest how I can regain console
> access to the machine and start to restore it to its original state?

It _does_ sound like it's been hacked, especially given the placement of a FILE
in the /dev directory.

I missed the beginning of this thread - am I correct in assuming that you can't
physically touch the machine, so you can't just boot it with a rescue floppy?

If you have a sufficiently recent version of Webmin, and can send files to the
computer in question, AND use a RPM-based system, then I'd try something like
this:

1) Use the file manager (under the "Others" tab) to check the size of typical
suspects like /bin/ls and /bin/login.
2) Use "Software Packages" (under the "System" tab) to verify the sizes of
those files (/bin/ls, for example is in the package "fileutils" - while
/bin/login is in "util-linux").
3) If those sizes are different, then there's an excellent chance your system
has been hacked.
4) Reinstall the affected packages.  Note that Webmin will let you grab the
file from the nearest convenient ftp or http server, or you can upload it
directly from the computer your using to browse Webmin.

If this lets you regain some control of the computer, your best bet IS to wipe
and reinstall Linux, since you don't know what trapdoors the cracker may have
installed.

If you can't do that, then give me a holler, and I'll see if I can help you
locate those trapdoors.

Calvin

-- 
Calvin Dodge
Certified Linux Bigot
http://www.caldodge.fpcc.net

More information about the LUG mailing list