ACK! How to fix a compromised system?

[Lucas Peet]

What constitutes 'wildly different'?

-Lucas 

Lucas Peet
sirsky at lucastek.com

-----Original Message-----
From: owner-kclug at marauder.illiana.net
[mailto:owner-kclug at marauder.illiana.net] On Behalf Of Dave Hull
Sent: Saturday, April 19, 2003 10:46 PM
Cc: List - KCLUG
Subject: Re: ACK! How to fix a compromised system?

On Sat, 19 Apr 2003, Hanasaki JiJi wrote:

> What are signs to look for in a compromised system?

I read this in the "Linux Hacks" book that's out from O'Reilly and found
it 
interesting. According to the author (Fleckinger?), you can load up
modules 
and replace binaries which will hide processes, etc., but it's much more

difficult to muck with /proc.

Therefore, it's possible to use the following command line,

ls -d /proc/* | grep [0-9] | wc -l; ps ax | wc -l

which counts the number of directory entries in /proc which are
associated 
with a PID and the second half of which, counts the number of processes 
displayed by "ps ax". Obviously, if your counts are wildly differnet
over a 
few runs, you've likely got a problem. I ran this on my system and found
the 
numbers to be wildly different, but this turned out to be due to an
alias for 
ls.

Granted, this method is not foolproof and the more this gets used, the
more 
likely future rootkits will be to try and fool this method.

If you know what services you have running on a system and what ports
those 
services are running on, you can use nmap or the port scanner of your
choice 
to see if you have any odd ports listening.

I've also found many rootkited machines which leave lsof untouched,
though I'm 
sure there are rootkits whcih replace it, I've just not seen them.
Running 
"lsof -i" on a machine gives output similar to netstat.

-- 
Dave Hull
http://insipid.com

Ask not what's inside your head, but what your head's inside of.
		-- J.J. Gibson