Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Linux hacked

from [Barrie Dempster] Network Security [Permanent Link]
Subject: Re: Linux hacked
Date: Thu, 21 Oct 2004 11:08:37 +0100 
On Wed, 2004-10-20 at 11:52 -0500, Nicholson, Dale wrote:

<snip>

Can someone help me with where to get a listing of everything I have
installed and the versions?

`ls /var/db/pkg/*/*/*.ebuild | cut -d/ -f5-6 | less`
 
will list everything you have installed


Also, I need something that can detect root kits etc. on linux.  I've heard
knoppix mentioned as having good tools on this list for an example, but I
wouldn't know what tools to use for this particular case.

chkrootkit - http://www.chkrootkit.org
or
rkhunter - http://freshmeat.net/projects/rkhunter

You will also find chkrootkit on knoppix-STD -
http://www.knoppix-std.org


This is what I tried so far:
I logged in using a boot CD, mounted the hard disks, chrooted in, blanked
out the root password in the /etc/shadow file, changed the root password,
rebooted and tried to log in normally.  This did not work.  I also checked
that the correct users were in both /etc/passwd and /etc/shadow.


Attacker may have modified the login binary, since it's a gentoo box
and the binaries will be self compiled it will be hard to verify this
since I'm under the impression you haven't been performing integrity
checks. I suggest you don't put this install back into production, as since
you are a self confessed novice you will have a hard time cleaning it
out.

Find all the key configuration files and back them up (or use a recent
backup), before a reinstall of the system, then replace everything as
needed. Be sure to verify that the configuration files you restore to
the new install don't have any dodgy modifications, if in doubt re-build
the config from the default config files.

No offence intended but if your admin can't talk you through getting
access to the box again, than maybe you should seek advice from
elsewhere on the running of your machine. Since you have little security
experience yourself getting someone that knows security would be a good
help. Also updating a machine once a week doesn't equate to good
security, if he isn't log monitoring and performing integrity checks,
then you won't know if you are being attacked or not.

Good Luck. :-)

-- 
Barrie Dempster (zeedo) - Fortiter et Strenue

  http://www.bsrf.org.uk

[ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ]

Attachment: signature.asc
Description: This is a digitally signed message part

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  MBSA Results into DB OR Alternative?, O'dorisio, Steve
Next by Date:  RE: breakout of citrix, Depp, Dennis M.
Previous by Thread:  RE: Linux hacked, Randori
Next by Thread:  Re: Linux hacked, Miles Stevenson
Indexes:  [Date] [Thread] [Top] [All Lists]