[Gllug] rooting?
Robert McKay
robert at mckay.com
Thu Feb 14 09:35:29 UTC 2002
On Thu, 14 Feb 2002, Allen Wayne wrote:
> Hi All,
>
> can anyone point me in the best drection to check if a machine has been
> rooted ... possibly by the tuxkit? I have been asked to look at a PC running
> RH6.???? with quite a few holes over (open ports etc etc...) root recentely
> recieved a message about underliverable mail refering to the tuxkit
> install... and a couple of logs appear to be either missing or unusual
> ....ver long ftp logins missing ftp transfers
> any pointers please????
> Wayne
Get a new ps and netstat binary from somewhere you know to be clean and
see what's running or listening. Also check /etc/inittab and
/etc/inetd.conf for `evil' programs being started.
http://silver.tuxtendo.nl/tuxtendo/rootkit/tuxkit-1.0.tgz
It seems like tuxkit replaces a number of binaries including sshd so you
probably aught to take a look at that. Check for the presence of a
/dev/tux directory containing various parts of the kit.
-Rob.
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list