[ILUG] Possible system compromise
Dave Airlie
airlied at csn.ul.ie
Wed Jan 23 14:18:19 GMT 2002
run the rpm verify rpm -va or something and check that your signatures are
correct.. not the be all and end all but can be a good quick check for
login replacements etc..
Dave.
On Wed, 23 Jan 2002, Enda wrote:
> > I had a problem this morning with a box running SuSE 6.4. It's in a
> > company's DMZ and for some reason it was rebooted and networking did not
> > start properly. Investigation (of the remote controlled person kind, given
> > that the machine was off the air) eventually revealed that the network
> start
> > script /etc/rc.d/init.d/network was not the correct SuSE script but rather
> > was a RedHat version.
>
> suse-security-subscribe at suse.com
> subscribe and post your question here, there are some dedicated security
> nuts there that answer about 50 of these type questions within minutes every
> week.
>
> you'll almost certainly be referred to this as well :
> http://www.susesecurity.com/faq/
>
>
> > This is obviously a little strange and none of those invloved in managing
> > the machine know anything about it so I'm wondering could it be part of
> some
> > rootkit or other. It sounds a very strange to me for a rootkit to do i.e.
> to
> > modify a script which won't be run for a long time but maybe it's a way of
> > ensuring that whatever backdoors might have been installed stay installed
> > but OTOH it does sound like a typical rootkit behaviour i.e. to assume
> that
> > the box being cracked is running RH. Does the behaviour I described ring a
> > bell with anybody ?
> >
> >
> >
> > Niall
> >
> > --
> > Irish Linux Users' Group: ilug at linux.ie
> > http://www.linux.ie/mailman/listinfo/ilug for (un)subscription
> information.
> > List maintainer: listmaster at linux.ie
> >
>
>
>
--
David Airlie, Software Engineer
http://www.skynet.ie/~airlied / airlied at skynet.ie
pam_smb / Linux DecStation / Linux VAX / ILUG person
More information about the ILUG
mailing list