[CLUE-Tech] network issues

Mike Staver staver at fimble.com
Mon Oct 13 13:09:31 MDT 2003 

> netstat -apn will add the PID of process running that is opening the 
> ports.  However, if you have been rooted, that *may not* report correctly.

Ok, cool. I ran that rpm -Va command, and I got:

[root at timmy staver]# rpm -Va
S.5.....   /bin/netstat
S.5.....   /sbin/ifconfig
SM5.....   /bin/ps
S.5....T c /etc/pam.d/system-auth
S.5....T c /etc/sysconfig/pcmcia
.......T c /etc/libuser.conf
missing  c /etc/rc.d/init.d/apmd
missing  c /etc/rc.d/init.d/gpm
S.5....T c /etc/ldap.conf
missing    /etc/rc.d/init.d/rhnsd
SM5....T c /etc/sysconfig/rhn/up2date
S.5....T c /etc/sysconfig/rhn/up2date-uuid
S.5....T   /usr/share/rhn/RHNS-CA-CERT
SM5....T   /usr/share/rhn/up2date_client/up2dateUtils.pyc
.......T c /etc/yp.conf
S.5....T c /etc/named.conf
S.5.....   /usr/bin/ssh
.......T c /etc/mail/sendmail.cf
SM5....T c /etc/mail/submit.cf
.......T c /etc/krb5.conf
.M......   /dev/shm
.M....G.   /dev/tty1
.M....G.   /dev/tty2
.M....G.   /dev/tty3
.M....G.   /dev/tty4
.M....G.   /dev/tty5
.M....G.   /dev/tty6
S.5....T c /etc/openldap/ldap.conf
S.5.....   /sbin/iptables
S.5....T c /etc/krb.conf
S.5..... c /etc/rndc.key
SM5....T c /etc/httpd/conf/httpd.conf
S.5....T c /etc/samba/smb.conf
.M......   /dev/shm
S.5.....   /usr/sbin/sshd

I have no idea what any of that means, except the mission ones - I 
removed those myself.  I also changed the config files in question, but 
I'm not sure about the others.


> Also, try www.chkrootikit.org - the application will check for the 
> presence of a root kit and let you know which one it has found.

Very nice tool, I'll definitely try that and report back.

> If you end re-installing again, do so without an internet connection.  
> (Grab updates from an FTP site and install locally.) Then, tripwire the 
> box *before* copying over your data or hooking up the next.  Then, if 
> this happens again, you will know exactly what system files have been 
> modified that let this happen
> 


-- 

                                 -Mike Staver
                                  staver at fimble.com
                                  mstaver at globaltaxnetwork.com

More information about the clue-tech mailing list