six days ago, I have been upgrade chkrootkit, I have using it for 3 months, and have cron to report me everyday, and I have snort too to watch any suspicious network connection
I checked that netstat, ps, login, ssh have a right md5sum and right place :) I have subscribe to bugzilla to received any security issue, and update it with up2date from redhat, I usually have current packages updates. I don't want erase /bin/passwd first, if I don't sure where it come from?? I put ssh_possible_infected in my anonymous ftp, ftp://mbone.petra.ac.id/security/possible-infected On Wed, Aug 28, 2002 at 11:54:57AM -0600, Frederic Herman wrote: > Timothy Writer wrote: > > >Lewi <[EMAIL PROTECTED]> writes: > > > > > > > >>I just checking whereis passwd place from, when I run this > >># whereis passwd > >>passwd: /bin/passwd /usr/bin/passwd /etc/passwd.OLD /etc/passwd >/usr/share/man/man1/passwd.1.gz > >> > >>then I checked > >># rpm -qf /bin/passwd > >>file /bin/passwd is not owned by any package > >> > >># rpm -ql passwd-0.64.1-4 > >>/etc/pam.d/passwd > >>/usr/bin/passwd > >>/usr/share/man/man1/passwd.1.gz > >> > >>so where /bin/passwd come from?? > >>I checked using whether maybe I can get something, > >># string /bin/passwd > >>but I don't found any suspicious line > >>I attached in here, sory if too big, it just 3,5kb :) > >>I'm using rh7.1 > >> > >> > > > >It could be a link (hard or symbolic) to or a copy of /usr/bin/passwd. > >What do these tell you? > > > > ls -li /bin/passwd /usr/bin/passwd > > cmp /bin/passwd /usr/bin/passwd > > > >If you suspect you've been hacked, use: > > > > rpm -Va > > > >to verify all your installed RPMS. Expect changes to config files etc. but > >any changes to key binaries such as passwd, login, and ps are evidence that > >you've been hacked. > > > > > > > My guess is that the additional /usr/passwd executable was placed by the > exploit. The search path will probably look first in /bin, and then > /usr/bin. The bogas executable is found first. The original > /usr/bin/passwd is probably non altered. So rpm -Va won't indicate > anything for this file, although there are likely other things that have > been changed which will show up. > > As part of your clean up, first remove the bogas file. Unless you feel > lucky, back up data files, and then reformat the hard drive and do a > fresh install. You should also try to find out how the cracker got in. > Likely you were not keeping patches up to date. > > Good luck. > > Fred > > > > > > -- > redhat-list mailing list > unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe > https://listman.redhat.com/mailman/listinfo/redhat-list -- ichtus ------ Lewi Supranata .K ICQ: 50643061 Homepage : http://mercury7.petra.ac.id/~ichtus GnuPG Public Key : http://mercury7.petra.ac.id/~ichtus/ichtus-keys2
msg86894/pgp00000.pgp
Description: PGP signature
