Timothy Writer wrote: >Lewi <[EMAIL PROTECTED]> writes: > > > >>I just checking whereis passwd place from, when I run this >># whereis passwd >>passwd: /bin/passwd /usr/bin/passwd /etc/passwd.OLD /etc/passwd >/usr/share/man/man1/passwd.1.gz >> >>then I checked >># rpm -qf /bin/passwd >>file /bin/passwd is not owned by any package >> >># rpm -ql passwd-0.64.1-4 >>/etc/pam.d/passwd >>/usr/bin/passwd >>/usr/share/man/man1/passwd.1.gz >> >>so where /bin/passwd come from?? >>I checked using whether maybe I can get something, >># string /bin/passwd >>but I don't found any suspicious line >>I attached in here, sory if too big, it just 3,5kb :) >>I'm using rh7.1 >> >> > >It could be a link (hard or symbolic) to or a copy of /usr/bin/passwd. >What do these tell you? > > ls -li /bin/passwd /usr/bin/passwd > cmp /bin/passwd /usr/bin/passwd > >If you suspect you've been hacked, use: > > rpm -Va > >to verify all your installed RPMS. Expect changes to config files etc. but >any changes to key binaries such as passwd, login, and ps are evidence that >you've been hacked. > > > My guess is that the additional /usr/passwd executable was placed by the exploit. The search path will probably look first in /bin, and then /usr/bin. The bogas executable is found first. The original /usr/bin/passwd is probably non altered. So rpm -Va won't indicate anything for this file, although there are likely other things that have been changed which will show up.
As part of your clean up, first remove the bogas file. Unless you feel lucky, back up data files, and then reformat the hard drive and do a fresh install. You should also try to find out how the cracker got in. Likely you were not keeping patches up to date. Good luck. Fred -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
