[CLUE-Tech] network issues

Kevin Fenzi kevin at scrye.com
Mon Oct 13 13:33:17 MDT 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>>>>> "Mike" == Mike Staver <staver at fimble.com> writes:

>> netstat -apn will add the PID of process running that is opening
>> the ports.  However, if you have been rooted, that *may not* report
>> correctly.

Mike> Ok, cool. I ran that rpm -Va command, and I got:

[root at timmy staver]# rpm -Va
S.5.....   /bin/netstat
S.5.....   /sbin/ifconfig
SM5.....   /bin/ps
S.5....T c /etc/pam.d/system-auth
S.5....T c /etc/sysconfig/pcmcia
.......T c /etc/libuser.conf
missing  c /etc/rc.d/init.d/apmd
missing  c /etc/rc.d/init.d/gpm
S.5....T c /etc/ldap.conf
missing    /etc/rc.d/init.d/rhnsd
SM5....T c /etc/sysconfig/rhn/up2date
S.5....T c /etc/sysconfig/rhn/up2date-uuid
S.5....T   /usr/share/rhn/RHNS-CA-CERT
SM5....T   /usr/share/rhn/up2date_client/up2dateUtils.pyc
.......T c /etc/yp.conf
S.5....T c /etc/named.conf
S.5.....   /usr/bin/ssh
.......T c /etc/mail/sendmail.cf
SM5....T c /etc/mail/submit.cf
.......T c /etc/krb5.conf
.M......   /dev/shm
.M....G.   /dev/tty1
.M....G.   /dev/tty2
.M....G.   /dev/tty3
.M....G.   /dev/tty4
.M....G.   /dev/tty5
.M....G.   /dev/tty6
S.5....T c /etc/openldap/ldap.conf
S.5.....   /sbin/iptables
S.5....T c /etc/krb.conf
S.5..... c /etc/rndc.key
SM5....T c /etc/httpd/conf/httpd.conf
S.5....T c /etc/samba/smb.conf
.M......   /dev/shm
S.5.....   /usr/sbin/sshd

Mike> I have no idea what any of that means, except the mission ones -
Mike> I removed those myself.  I also changed the config files in
Mike> question, but I'm not sure about the others.

The important ones are: 

S.5.....   /bin/netstat
S.5.....   /sbin/ifconfig
SM5.....   /bin/ps
S.5.....   /usr/bin/ssh
S.5.....   /sbin/iptables
S.5.....   /usr/sbin/sshd

Those are all critical system binaries that have a md5 checksum that
no longer matches whats in the rpm database (ie, they have been
replaced). 

So is your firewall on the local machine? If so, then with iptables
replaced it will only work as the intruder wants. 

Did you use the same passwords when you re-installed? 
If the intruder sniffed your passwords when you logged in via ssh (see
the ssh and sshd above) they could be getting in via that. 

>> Also, try www.chkrootikit.org - the application will check for the
>> presence of a root kit and let you know which one it has found.

Mike> Very nice tool, I'll definitely try that and report back.

yeah, chkrootkit is a nice tool. 

I would say you need to do yet another clean install. 
Make sure all the updates are applied before you let it on the net at
all. (download rpms and burn to cd or the like). Make sure you use
diffrent passwords. Turn off anything you don't need. 

kevin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>

iD8DBQE/iv3+3imCezTjY0ERAujKAKCPCXWaCFVnmhdBD13dIvYzMOHqggCfSWLx
/L6Coz8aZIs6Ypo8JgbBRZo=
=jAq+
-----END PGP SIGNATURE-----

More information about the clue-tech mailing list