[NCLUG] Have I been cracked?

Stephen Warren swarren at wwwdotorg.org
Fri Oct 13 12:54:18 MDT 2006 

Kevin Fenzi wrote:
>>>>>> "Stephen" == Stephen Warren <swarren at wwwdotorg.org> writes:
> 
> Stephen> Note that rpm -V prints nothing; apparently the binary
> Stephen> matches just fine, even if the size is incorrect?! If I
> Stephen> rename the file, then rpm -V complains it's missing. If I put
> Stephen> some other random file there, rpm -V complains about an
> Stephen> md5sum mismatch.
> 
> Stephen> Does anyone know what's up???
> 
> It could well be prelinking... the prelinking process changes the size
> of binaries on disk, but rpm -V has been setup to understand that, so
> it won't show them as changed.
> 
> see 'man prelink' for more info.

Ah yes. That would certainly make sense. I'll see if I can verify this...

> Stephen> I attempted to start apache, and it wouldn't start. "netstat
> Stephen> -an" showed something listening on port 444. I did "service
> Stephen> stop iiimf-server", then apache would start, so I suppose it
> Stephen> was /usr/bin/htt that had port 444 open.
> 
> Could be. Or might have just been the httpd took a while to exit and
> release that port. Were there any httpd's running at all?
> 
> fuser -n tcp 444
> 
> should show the exact pid thats keeping tcp port 444 open.

I should have done that!

Actually, the whole thing about htt interfering might have been a
red-herring. Looking back at the error messages in the logs that Apache
spat out when I manually attempted a restart this morning, I think I ran
"service httpd start" as non-root, so it was permission denied, rather
than port-in-use.

I guess I need to modify my back scripts to check that the various
processes actually exited after the "service stop" (although they
already do that using plain "service status").

> You might want to pull down rk-hunter or chkrootkit and run those
> against your machine too.

Not a bad idea too.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
URL: <http://lists.nclug.org/pipermail/nclug/attachments/20061013/68eeb35f/attachment.pgp>

More information about the NCLUG mailing list