>>>>> "wtw" == William T Wilson <[EMAIL PROTECTED]> writes:
wtw> On Wed, 29 Apr 1998, Kevin W. Reed wrote:
>> What exactly is "lots of evil stuff"....
wtw> tcpd was replaced with a trojan one.
Ouch.
wtw> As it happens, the exploit process is still running, even
wtw> though the exploit itself has been removed. I know that Linux
wtw> maintains a descriptor/handle to a running program file even if
wtw> it's been removed from the filesystem and stores the inode
wtw> information in the /proc system. Therefore, I assume that if
wtw> someone has an appropriate utility (or I figure it out from
wtw> /proc) I can recover the exploit program and track down the
wtw> hole. That would make me a lot happier.
Here's an example of how you might do it, I've chosen a random PID on
my system, 429.:-
ls -l /proc/429/exe
might say:-
blah blah .... exe -> [0806]:100075
Where 0806 is the device (in this case /dev/sda6) and the 100075 is
the inode. You should be able to track down the file with
find /usr -inum 100075 -print
(Here, we use /usr because that's the filesystem mounted on
/dev/sda6).
On my system this produces one line of output, "/usr/sbin/rpc.rwalld".
Which is just what "ps ax 429" says for this case, a cracker's program
may well change argv[0] etc.
If there is no name referring to that inode (i.e. the name has been
deleted), then you will need to create a link to that inode. You do
this by following the instructions in the Ext2fs-Undeletion
mini-HOWTO. Basically, you ruhn debugfs and use
debugfs: mi 100075
You set the link count to , the dtime should still be zero (if
not, zero it).
Then
debugfs: link 100075 nasty-executable
(the manpage calls this command "ln" not "link". I don't know which
is correct).
which makes a directory entry point to the recovered inode. All the
block should still be correctly linked because the file was still
open. All the hand-wringing you-might-not-get-the-whole-file stuff
in the Ext2fs-Undeletion HOWTO doesn't apply here.
Still, it's best to remount the FS concerned read-only before running
debugfs on it, and fsck it afterwards.
wtw> (This is one of those days when I'm glad my network is doubly
wtw> redundant and I can afford to just drop a server for a couple
wtw> days!)
--
PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
http://www.redhat.com/RedHat-FAQ /RedHat-Errata /RedHat-Tips /mailing-lists
To unsubscribe: mail [EMAIL PROTECTED] with
"unsubscribe" as the Subject.
