[NTLUG:Discuss] root can not edit hosts.deny file

Dennis Myhand dmyhand at zamigo.net
Tue Jun 17 15:10:05 CDT 2003 

Richard Strittmatter wrote:

>Also check in the /dev directory.
>
>A LOT of rootkits will put data directories there. Newer ones
>are also using /usr/share
>
>  
>
>>-----Original Message-----
>>From: discuss-bounces at ntlug.org 
>>[mailto:discuss-bounces at ntlug.org] On Behalf Of Bug Hunter
>>Sent: Tuesday, June 17, 2003 1:31 PM
>>To: NTLUG Discussion List
>>Subject: Re: [NTLUG:Discuss] root can not edit hosts.deny file
>>
>>
>>
>>  what is important here is to use another "ls" to do the 
>>looking with.  
>>Try copying the ls from another machine, or using the "files" 
>>command, as 
>>that one is often overlooked.
>>
>>  Your "ls" will be "fixed" to prevent it from showing root 
>>kit stuff, if 
>>your box is compromised.
>>
>>  Sometimes, something like busybox, which has its own built 
>>in commands 
>>can be used to look around with.
>>
>>  You might want to boot with knoppix and mount your hard 
>>drive and then 
>>look around on it.  The ls on knoppix will not be flawed.
>>
>>bug
>>
>>
>>On Tue, 17 Jun 2003, Kenneth Loafman wrote:
>>
>>    
>>
>>>m m wrote:
>>>      
>>>
>>>>Hi All:
>>>>
>>>>Thanks for the tip.
>>>>I have checked all files ind /var, /etc directories, the 
>>>>/etc/hosts.deny
>>>>is the only file was set to i.
>>>>what is the possibility that the box has been "rooted"?
>>>>
>>>>what are the other files that the hacker like to modify/changes?
>>>>        
>>>>
>>>Look primarily in the executables directories:
>>>
>>>/bin/*
>>>/lib/*
>>>/sbin/*
>>>/usr/bin/*
>>>/usr/lib/*
>>>/usr/sbin/*
>>>/usr/local/bin/*
>>>/usr/local/lib/*
>>>/usr/local/sbin/*
>>>
>>>in particular:
>>>
>>>ls
>>>ps
>>>find
>>>top
>>>gtop
>>>
>>>or, any file that shows process state (to keep the task hidden) or, 
>>>any file that shows filesystem state (to keep the files hidden)
>>>
>>>Some crackers have the tools to modify the RPM database so a 
>>>comparison
>>>between what they installed and what the database shows is 
>>>      
>>>
>>the same.  I 
>>    
>>
>>>don't know about DEB.
>>>
>>>...Ken
>>>
>>>
>>>
>>>      
>>>
>>_______________________________________________
>>https://ntlug.org/mailman/listinfo/discuss
>>
>>    
>>
>
>
>_______________________________________________
>https://ntlug.org/mailman/listinfo/discuss
>
>
>  
>
I have also heard that there is a tool called "chrootkit" @ 
www.chrootkit.org which can assist in checking for rootkits.

More information about the Discuss mailing list