[NTLUG:Discuss] root can not edit hosts.deny file

Dennis Myhand dmyhand at zamigo.net
Tue Jun 17 15:12:15 CDT 2003 

Dennis Myhand wrote:

> Richard Strittmatter wrote:
>
>> Also check in the /dev directory.
>>
>> A LOT of rootkits will put data directories there. Newer ones
>> are also using /usr/share
>>
>>  
>>
>>> -----Original Message-----
>>> From: discuss-bounces at ntlug.org [mailto:discuss-bounces at ntlug.org] 
>>> On Behalf Of Bug Hunter
>>> Sent: Tuesday, June 17, 2003 1:31 PM
>>> To: NTLUG Discussion List
>>> Subject: Re: [NTLUG:Discuss] root can not edit hosts.deny file
>>>
>>>
>>>
>>>  what is important here is to use another "ls" to do the looking 
>>> with.  Try copying the ls from another machine, or using the "files" 
>>> command, as that one is often overlooked.
>>>
>>>  Your "ls" will be "fixed" to prevent it from showing root kit 
>>> stuff, if your box is compromised.
>>>
>>>  Sometimes, something like busybox, which has its own built in 
>>> commands can be used to look around with.
>>>
>>>  You might want to boot with knoppix and mount your hard drive and 
>>> then look around on it.  The ls on knoppix will not be flawed.
>>>
>>> bug
>>>
>>>
>>> On Tue, 17 Jun 2003, Kenneth Loafman wrote:
>>>
>>>   
>>>
>>>> m m wrote:
>>>>     
>>>>
>>>>> Hi All:
>>>>>
>>>>> Thanks for the tip.
>>>>> I have checked all files ind /var, /etc directories, the 
>>>>> /etc/hosts.deny
>>>>> is the only file was set to i.
>>>>> what is the possibility that the box has been "rooted"?
>>>>>
>>>>> what are the other files that the hacker like to modify/changes?
>>>>>       
>>>>
>>>> Look primarily in the executables directories:
>>>>
>>>> /bin/*
>>>> /lib/*
>>>> /sbin/*
>>>> /usr/bin/*
>>>> /usr/lib/*
>>>> /usr/sbin/*
>>>> /usr/local/bin/*
>>>> /usr/local/lib/*
>>>> /usr/local/sbin/*
>>>>
>>>> in particular:
>>>>
>>>> ls
>>>> ps
>>>> find
>>>> top
>>>> gtop
>>>>
>>>> or, any file that shows process state (to keep the task hidden) or, 
>>>> any file that shows filesystem state (to keep the files hidden)
>>>>
>>>> Some crackers have the tools to modify the RPM database so a 
>>>> comparison
>>>> between what they installed and what the database shows is     
>>>
>>> the same.  I   
>>>
>>>> don't know about DEB.
>>>>
>>>> ...Ken
>>>>
>>>>
>>>>
>>>>     
>>>
>>> _______________________________________________
>>> https://ntlug.org/mailman/listinfo/discuss
>>>
>>>   
>>
>>
>>
>> _______________________________________________
>> https://ntlug.org/mailman/listinfo/discuss
>>
>>
>>  
>>
> I have also heard that there is a tool called "chrootkit" @ 
> www.chrootkit.org which can assist in checking for rootkits.
>
>
> _______________________________________________
> https://ntlug.org/mailman/listinfo/discuss
>
>
Okay... the real url is www.chkrootkit.org

More information about the Discuss mailing list