VanLUG Email Archive
Rob Thomas (rthomas@linux.com)
Sun, 20 Feb 2000 14:35:56 PST
Normally, a rootkit is defined as a collection of programs that will enable
a cracker to keep root access. These are usually modified versions of
standard programs like 'login', 'su', 'passwd', and the like, which have
been installed by the cracker. The most common way of keeping track of
these is using a program such as Tripwire, and keeping MD5 checksums. What
this means is that you will have a file with a MD5 hashed string which
matches each program. It's sort of like fingerprints or zebra stripes, no
two programs will have the same MD5 hash. This way, you can run a script
to check the integrity of each program. Here are some good sites on this:
http://www.linux.com/security
http://www.linuxsecurity.com
http://www.securityfocus.com
On Sun, 20 Feb 2000, Adam Jinks wrote:
> one of my servers was cracked on friday night by using (what looks like)
> a
> bind pre 8.2.x exploit. i'd advise all who are running bind to upgrade to
> 8.2.2 patch5 if you haven't already.
>
> but speaking of root kits, does anyone know how to tell if someone's
> installed a root kit? for some reason i can't log on to ttyp1,
> ttyp0,2,3.. are ok though. doing a finger shows no-one logged on to that
> terminal. this started happening after the intrusion (cosmic
> coincidence?).
>
> i checked the dates and sizes of some of the files a root kit would alter
> such as finger, ps, top, etc. but they all appear fine.
>
> any theories/suggestions would be appreciated because i'd like to know if
>
> my server is now doing some malevolent cracker's evil bidding.
--
-o)
Rob Thomas / \
rthomas@linux.com _\_v
--
This message came to you via the Vancouver Linux Users Group mailing list.
For unsubscription instructions do not email the list, but rather send mail
to <vanlug-request@gweep.bc.ca>.
This archive was generated by hypermail 2.0b3 on Sun 20 Feb 2000 - 22:43:15