|
Scanning your system for rootkits |
vote
 |
|
Earlier this week we looked for anomalies on a server that looked like it might have been cracked. We ran 'ls -ltr' in the /bin directory and found that the 'ps' command was a new version that was less than 100 bytes long. It was a script that called the real ps and filtered out 'telnetd' and 'grep' -- using the grep command. Not surprisingly, there were three new root accounts in /etc/passwd.
"Usually, the first sign that a server might be compromised is simple anomalies in the behavior of the server. One of the more common anomalies one might notice is a change in how one or more of the core system utilities behave. For instance, a command-line switch to 'netstat' or 'ps', which you used to use without a problem everyday, might start returning an error message. The reason for this is that intruders replace these utilities with versions designed to hide their malicious activities."
| | |
| |
|
| | read more | mail this link | score:8612 | -Ray, February 8, 2002 |
| |
|
More Sysadmin articles... |
|
|
