On Wed, 2003-02-26 at 15:48, Ian C. Blenke wrote:
> On Wednesday 26 February 2003 15:36, Kai Lien wrote:
> > One of our boxes got hack two nights ago. I believe it was LKM and
> > chkrootkit agrees also. I suspected that the cracker was using port 443
> > (https) to access the box since nmap from another box did not show any
> > suspectable ports. I believe the cracker had used a bindtty.c utility to
> > get a telnet prompt on tty1 using port 443. chkrootkit shows there were 1
> > process hidden from ps command and 1 process hidden from readdir command.
> >
> > What tools are available to find out these hidden process?
> >
> > I tried to compile knarkfind.c, but it errors out.
> >
> > Ian or any linux gurus out there?
>
> Once you find that you've been rootkitted, rebuild your box. You can no longer
> trust anything on that install. It's that simple, really.
>
> Alternatively, if you *had* been using a tripwire system like Integrit and
> have the "known good" list of file hashes before you were owned, it might be
> possible to check what files have been changed and with some care you might
> be able to trust that box again. But I wouldn't.
>
> Seriously, rebuild that box.
P.S. Ian and I had no communication prior to us both answering your
question in almost identical fashion; even to the extent of using some
of the same words.
We're just both really, REALLY cool.
;)
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
#!/usr/bin/perl -w
$_='while(read+STDIN,$_,2048){$a=29;$b=73;$c=142;$t=255;@t=map
{$_%16or$t^=$c^=($m=(11,10,116,100,11,122,20,100)[$_/16%8])&110;
$t^=(72,@z=(64,72,$a^=12*($_%16-2?0:$m&17)),$b^=$_%64?12:0,@z)
[$_%8]}(16..271);if((@a=unx"C*",$_)[20]&48){$h=5;$_=unxb24,join
"",@b=map{xB8,unxb8,chr($_^$a[--$h+84])}@ARGV;s/...$/1$&/;$d=
unxV,xb25,$_;$e=256|(ord$b[4])<<9|ord$b[3];$d=$d>>8^($f=$t&($d
>>12^$d>>4^$d^$d/8))<<17,$e=$e>>8^($t&($g=($q=$e>>14&7^$e)^$q*
8^$q<<6))<<9,$_=$t[$_]^(($h>>=8)+=$f+(~$g&$t))for@a[128..$#a]}
print+x"C*",@a}';s/x/pack+/g;eval
usage: qrpff 153 2 8 105 225 < /mnt/dvd/VOB_FILENAME \
| extract_mpeg2 | mpeg2dec -
http://www.cs.cmu.edu/~dst/DeCSS/Gallery/
http://www.eff.org/ http://www.anti-dmca.org/
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 15:52:44 EDT