[ILUG] Possible system compromise
Niall O Broin
niall at linux.ie
Wed Jan 23 12:06:27 GMT 2002
I had a problem this morning with a box running SuSE 6.4. It's in a
company's DMZ and for some reason it was rebooted and networking did not
start properly. Investigation (of the remote controlled person kind, given
that the machine was off the air) eventually revealed that the network start
script /etc/rc.d/init.d/network was not the correct SuSE script but rather
was a RedHat version.
This is obviously a little strange and none of those invloved in managing
the machine know anything about it so I'm wondering could it be part of some
rootkit or other. It sounds a very strange to me for a rootkit to do i.e. to
modify a script which won't be run for a long time but maybe it's a way of
ensuring that whatever backdoors might have been installed stay installed
but OTOH it does sound like a typical rootkit behaviour i.e. to assume that
the box being cracked is running RH. Does the behaviour I described ring a
bell with anybody ?
Niall
More information about the ILUG
mailing list