[NCLUG] openssh
J. Paul Reed
preed at sigkill.com
Tue Jan 15 10:49:49 MST 2002
On Tue, 15 Jan 2002, nclug wrote:
> We've seen a few "intrusions" lately on some of our client's machines
> also with similar hiddens. Do you know of any good way to find all
> of the files and directories that have been hidden?
With the stupider rootkits, you can use the following perl hack to look at
/proc directly (instead of using a possibly compromised ps); if you don't
like it, don't blame me... I didn't write it. :-)
The really good root kits will alter /proc, but it's a nice way to verify
what ps says if something seems amiss...
#! /usr/bin/perl
opendir(D, '/proc');
while (defined ($_ = readdir(D))) {
next unless /^\d+$/;
open(F, "/proc/$_/cmdline") || next;
local($/) = "\0";
$did = 0;
while (defined ($l = <F>)) {
chomp;
print "$_: " unless $did++;
print $l;
}
close(F);
print "$_: (none)" unless $did;
print "\n";
}
closedir(D);
Later,
Paul
------------------------------------------------------------------
J. Paul Reed preed at sigkill.com || web.sigkill.com/preed
What's the point in being nuts if you can't have a little fun?
-- John Nash, Jr., A Beautiful Mind
More information about the NCLUG
mailing list