[lug] newbie question - rc.sysinit
Scott A. Herod
herod at interact-tv.com
Thu Jul 12 10:52:25 MDT 2001
I've seen one attack that added start-up code in rc.sysinit ( or
maybe it was rc.local ). I keep "clean-room" versions of ls,
ps, rpm, lsof and netstat on floppies. Whenever I see anything
at all unexpected on a machine I use them to look around.
I've never seen lsof replaced on an root-kit'ed box but have
seen the others changed. 'lsof -i' and 'rpm --verify' are
very useful. Anything at all wrong, and I think that it is
time to wipe the machine and start over.
Scott
More information about the LUG
mailing list