ACK! How to fix a compromised system?
Dave Hull
dphull at insipid.com
Sun Apr 20 03:46:12 CDT 2003
On Sat, 19 Apr 2003, Hanasaki JiJi wrote:
> What are signs to look for in a compromised system?
I read this in the "Linux Hacks" book that's out from O'Reilly and found it
interesting. According to the author (Fleckinger?), you can load up modules
and replace binaries which will hide processes, etc., but it's much more
difficult to muck with /proc.
Therefore, it's possible to use the following command line,
ls -d /proc/* | grep [0-9] | wc -l; ps ax | wc -l
which counts the number of directory entries in /proc which are associated
with a PID and the second half of which, counts the number of processes
displayed by "ps ax". Obviously, if your counts are wildly differnet over a
few runs, you've likely got a problem. I ran this on my system and found the
numbers to be wildly different, but this turned out to be due to an alias for
ls.
Granted, this method is not foolproof and the more this gets used, the more
likely future rootkits will be to try and fool this method.
If you know what services you have running on a system and what ports those
services are running on, you can use nmap or the port scanner of your choice
to see if you have any odd ports listening.
I've also found many rootkited machines which leave lsof untouched, though I'm
sure there are rootkits whcih replace it, I've just not seen them. Running
"lsof -i" on a machine gives output similar to netstat.
--
Dave Hull
http://insipid.com
Ask not what's inside your head, but what your head's inside of.
-- J.J. Gibson
More information about the Kclug
mailing list