[CLUE-Tech] network issues
Mike Staver
staver at fimble.com
Mon Oct 13 13:09:31 MDT 2003
> netstat -apn will add the PID of process running that is opening the
> ports. However, if you have been rooted, that *may not* report correctly.
Ok, cool. I ran that rpm -Va command, and I got:
[root at timmy staver]# rpm -Va
S.5..... /bin/netstat
S.5..... /sbin/ifconfig
SM5..... /bin/ps
S.5....T c /etc/pam.d/system-auth
S.5....T c /etc/sysconfig/pcmcia
.......T c /etc/libuser.conf
missing c /etc/rc.d/init.d/apmd
missing c /etc/rc.d/init.d/gpm
S.5....T c /etc/ldap.conf
missing /etc/rc.d/init.d/rhnsd
SM5....T c /etc/sysconfig/rhn/up2date
S.5....T c /etc/sysconfig/rhn/up2date-uuid
S.5....T /usr/share/rhn/RHNS-CA-CERT
SM5....T /usr/share/rhn/up2date_client/up2dateUtils.pyc
.......T c /etc/yp.conf
S.5....T c /etc/named.conf
S.5..... /usr/bin/ssh
.......T c /etc/mail/sendmail.cf
SM5....T c /etc/mail/submit.cf
.......T c /etc/krb5.conf
.M...... /dev/shm
.M....G. /dev/tty1
.M....G. /dev/tty2
.M....G. /dev/tty3
.M....G. /dev/tty4
.M....G. /dev/tty5
.M....G. /dev/tty6
S.5....T c /etc/openldap/ldap.conf
S.5..... /sbin/iptables
S.5....T c /etc/krb.conf
S.5..... c /etc/rndc.key
SM5....T c /etc/httpd/conf/httpd.conf
S.5....T c /etc/samba/smb.conf
.M...... /dev/shm
S.5..... /usr/sbin/sshd
I have no idea what any of that means, except the mission ones - I
removed those myself. I also changed the config files in question, but
I'm not sure about the others.
> Also, try www.chkrootikit.org - the application will check for the
> presence of a root kit and let you know which one it has found.
Very nice tool, I'll definitely try that and report back.
> If you end re-installing again, do so without an internet connection.
> (Grab updates from an FTP site and install locally.) Then, tripwire the
> box *before* copying over your data or hooking up the next. Then, if
> this happens again, you will know exactly what system files have been
> modified that let this happen
>
--
-Mike Staver
staver at fimble.com
mstaver at globaltaxnetwork.com
More information about the clue-tech
mailing list