Computer Forensics
Michael R Hanulec
hanulec at hanulec.com
Sat Mar 23 11:44:04 EST 2002
i had a system compromised lately due to an old version of ssh. i ran
chkrootkit (http://www.chkrootkit.org/) on the machine and was able to
then remove corrupted binaries and replace them w/ RPM's from a CD. for
my particular problem i found the following url somewhat useful:
http://www.yolinux.com/TUTORIALS/LinuxTutorial-woot-project.html
thankfully, unlike the author of this tutorial, i was able to safely
re-secure this broken into machine. 'netstat -an' (once fixed via rpm) was
key in showing me which services were running on the box. make sure
to look through your init files since I found a lot of seemingly
normal looking applications being started in configuration files
(usually appended to the bottom) which were actually unix worms.
rebooting the server A LOT and check the output of a working 'netstat' and
'ps' helped find all of those applications.
best of luck.
-mike
--
mike at hanulec.com cell: 516.410.4478
https://secure.hanulec.com EFnet irc && aol im: hanulec
More information about the nflug
mailing list