[lug] What does this mean?
Samartha
qwerty at pobox.com
Tue Mar 21 04:32:46 MST 2000
At 01:39 AM 3/21/00 -0700, you wrote:
>After some investigating, I managed to get a hold of the utility that was
>run on my system.
>What is this doing? Please bear with me :)
>Thanks,
>Shannon
>
># ./fix /bin/ps backdoor/ps /usr/lib/ldlibps.so
># ./fix /bin/netstat backdoor/netstat /usr/lib/ldlibstat.so
looks as if somebody has fixed up some programs on your machine.
What a rootkit does is to create a hidden backdoor to obtain root access to
your
machine at will.
see:
http://www.rewted.org/utilities/rootkits/
take the lrk4, unpack it and look at the code to give you an idea.
How it is done is by replacing basically all essential system programs
(ls, du, ps, login, tar find, netstat ...) with trojans to hide
a.) a hidden directory (sometimes ...) where all stuff is kept
b.) the existence of trojans
by reporting the correct file sizes, checksums and disk usage so
one won't notice the existence of a root compromise and hide the
existence of the intruder and it's tools.
The only way to circumvent the compromise is to use clean programs
by possibly booting from another disk.
Reinstall from scratch and restore from a backup done before the compromise
and patching the holes where they came in may be a good way to get our of this.
I had a root compromise with lrk4 and they were running a ./fix on programs
to make replace them with trojans or change some bytes to generate
a correct checksum.
It's really bad then you find that your ls does not show you everything or
lies about
file sizes. The trojans are significantly larger than the originals.
Write down the hours it takes you to recover and the damage you suffer, if
you have any traces where they came from and if they are in your state, you
may sue them for damages.
also, see:
http://www.cert.org/tech_tips/root_compromise.html
Samartha
More information about the LUG
mailing list