[lug] newbie question - rc.sysinit
rm at mamma.varadinet.de
rm at mamma.varadinet.de
Fri Jul 13 01:52:58 MDT 2001
On Thu, Jul 12, 2001 at 10:52:25AM -0600, Scott A. Herod wrote:
> I've seen one attack that added start-up code in rc.sysinit ( or
> maybe it was rc.local ). I keep "clean-room" versions of ls,
> ps, rpm, lsof and netstat on floppies. Whenever I see anything
> at all unexpected on a machine I use them to look around.
I guess you are aware of the fact that this won't help against
a serious cracker. If your kernel module checks for the name
of executables to be run it doesn't matter where they came from.
If you fear that a box has been cracked, i'm affraid nothing but
a reboot from a clean medium is secure (unless the cracker patched
the bios ;-)
Ralf
> I've never seen lsof replaced on an root-kit'ed box but have
> seen the others changed. 'lsof -i' and 'rpm --verify' are
> very useful. Anything at all wrong, and I think that it is
> time to wipe the machine and start over.
>
> Scott
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
More information about the LUG
mailing list