VanLUG Email Archive
Traduisez - Übersetzen - Traduzca - Traduza - Tradurre - Translate
Raymond D. Mereniuk (Raymond@fbn.bc.ca)
Fri, 16 Mar 2001 14:00:33 -0800
On 16 Mar 2001, at 10:38, Derek Tam wrote:
> I have a RedHat Linux 6.0 (2.2.16-3) box at home, and I use 'IPCHAINS' to
> setup the firewall. Recently, I find that I can't use 'ps -fe' command on
> my machine (not really doesn't work, but only display my shell process and
> the getty processes). But I still can use 'ps -aux'.
Looks like you have been hacked and a rootkit was installed.
While most folks will advise you to re-install from scratch it is
possible to clean the vermin out and secure the system . I would
suggest this as a short term solution. Typically the rootkit breaks
something which is difficult to fix so you should plan for a complete
re-installation in the near future. RedHat 6.2 would be
recommended as 6.0 is like old eh!
As Ben suggested run rpm --verify -a and get a list of RPMs which
have had files modified. The listing might be difficult to read. The
following is a list of affected RPMs found recently on a hacked RH
6.0 server. If any of the same RPMs are mentioned in your list you
should download new versions and do whatever you must to re-
install those packages.
The ps command not working is very typical. Other files commonly
changed are find, pstree, rlogin, ifconfig, netstat, login and ls.
Chances are there is a trap door in tcpd so replace it first. If you
are running an old version of bind that is probably where they got in.
Once you clean out the vermin you may want to consider Tripwire
for future use, it is a great tool to help clean up a system. Good
luck.
A list of the affected RPMs follows:
fileutils-4.0-1
sysklogd-1.3.31-14
findutils-4.1-31
crontabs-1.7-6
netkit-base-0.10-31
initscripts-4.16-1
procps-2.0.2-2
psmisc-18-2
rsh-0.10-25
tcp_wrappers-7.6.7
net-tools-1.52-2
pidentd-2.8.5-3
bind-8.2.2_P3-1
Virtually
Raymond D. Mereniuk
Raymond@fbntech.com
FBN - Offering PUP - Unbreakable Encryption Techology
http://www.fbntech.com/pup.html
-- This message came to you via the Vancouver Linux Users Group mailing list. For unsubscription instructions do not email the list, but rather send mail to <vanlug-request@gweep.bc.ca>.
This archive was generated by hypermail 2.0b3 on Tue 03 Jul 2001 - 19:14:49