[NCLUG] how was I hacked?

jbass at dmsd.com jbass at dmsd.com
Sun Jun 1 14:54:40 MDT 2003


Kevin Fenzi <kevin at scrye.com> writes:
> 	If for some reason you can't do that, you could try doing a 
> 	'rpm -Va' and see if it will tell you all the system files they
> 	modified, and then 'rpm -Uvh --replacepkgs' for each rpm to put the
> 	real files back. Of course, that will miss any they added not via rpm,
> 	assumes the rpm database or binary hasn't been hacked, and that your
> 	kernel hasn't been tampered with. ;) 
> 	So, re-installing is really the only good option. 

Two notes on recient script kiddies technology. First, two of the last
three hacked machines I picked apart had the root kit net installed via
RPM as an update, so an RPM -Va scan didn't trigger. Second, some are also
deleting rpm in their cleanup as well, which might be the only visible
sign of being rooted. 

I would like a tar file of the tool kit files and kernel modules attacked
in this round .... moving the sniffer and back door into kernel modules
(guess on my part) is certainly the next round in root kits as they can
leave the filesystem clean for tripwire with only the running kernel memory
compromised.

John



More information about the NCLUG mailing list