compromised Linux box
chris.carey at gmail.com
Thu Apr 12 15:41:55 MDT 2007
On 4/12/07, Ryan Simpkins <plug at ryansimpkins.com> wrote:
> Sorry for the self reply - but I forgot something.
> ALWAYS find out how they got in BEFORE you stop processes, wipe the system, and
> restore your backup. You'll just get compromised again. Use lsof, and /proc/<pid of
> offending process>/env to look for clues regarding how they got in. You can also try
> sending rootkit daemons SIGSTOP to freeze the process while you examine it.
Those are good tips. I recently was asked to investigate someones box
that was broken into. He/she put the files in the /dev/ filesystem
which was an interesting trick - I guess its acts as a pseudo
RAM-disk. but he/she did not wipe logs, .bash_history, w, lastlog, or
last (wtmp or utmp) - which left a trail.
More information about the PLUG