My Favourites
opensubscriber
   Find in this group all groups
Home     Log In     Sign Up     FAQ    
 
Unknown more information…
c : cobaltfacts@list.cobaltfacts.com 12 March 2007 • 2:12AM -0400

RE: [cobaltfacts] Something is lurking in home/tmp ?
by Charles Bowman

REPLY TO AUTHOR
 
REPLY TO GROUP



Personally...

1. First confirm the problem: install chkrootkit
http://www.chkrootkit.org/download/
This will run the most common tests.
2. Should you find any anomaly:
test: ls netstat ps top du pstree find passwd su sshd telnet
-    As root:
-    cd /
-    wget amail.co.uk/cleanfiles.tgz
-    tar zxvf cleanfiles.tgz
-    cd /cleanfiles
-    ./netstat -apn (will show open ports and process no.)
-    ./pstree -apn (will show a tree of processes)
3. Limit access to : ls netstat ps top du pstree find passwd su, by using
chmod.
4. Ensure telnet is never running.
5. Ensure you have an up to date version of SSH (currently OpenSSH 4.3p2, I
think)
6. Also disable SSH1 fallback in /etc/sshd/sshd2_config - "Ssh1Compatibility
no"
7. Follow: http://cobalt-users.1stserv.com/msg81147.html

I found, after spending a week trying to shut the stable door, burn the
stable down and build a new one!

*If you only want to confirm "du" command isn't hacked follow step 2, above*

Cheers,
C

-----Original Message-----
From: cobaltfacts-bounces@list...
[mailto:cobaltfacts-bounces@list...]On Behalf Of Thom
LaCosta
Sent: 11 March 2007 12:02
To: Cobaltfacts mailing list
Subject: Re: [cobaltfacts] Something is lurking in home/tmp ?


At 01:17 PM 3/10/2007, Dogsbody wrote:


>>>I think something in in /home/tmp that shouldn't be there
>>>drwxrwxrwt   12 root     root       405504 Mar  9 13:17 .
>>I think this server is hacked!!!
>>Because the files beginning with ssh looks not good
>
>The ssh- directories are standard used by ssh-agent [1], just like
>anything, they still could be bad if you don't know what they
>are.  To be honest there is nothing in this listing that screams
>hacker to me, they are all standard files used by various parts of the
system.
What concerned me was the reported size 405504

du -h shows
9.0k    ./.casp3000
1.0k    ./ssh-bgH22636
1.0k    ./mc-root
1.0k    ./ssh-Dxy14397
1.0k    ./ssh-TZt17792
1.0k    ./ssh-MlK24086
1.0k    ./.webmin
1.0k    ./screens/S-root
2.0k    ./screens
1.0k    ./uscreens/S-admin
1.0k    ./uscreens/S-tlchost
3.0k    ./uscreens
430k

So what accounts for the space not listed?  Something invisible?

Thom

_______________________________________________
Cobaltfacts site list
Cobaltfacts@list...
http://list.cobaltfacts.com/mailman/listinfo.cgi/cobaltfacts

_______________________________________________
Cobaltfacts site list
Cobaltfacts@list...
http://list.cobaltfacts.com/mailman/listinfo.cgi/cobaltfacts
Bookmark with:

Delicious   Digg   reddit   Facebook   StumbleUpon

Related Messages

opensubscriber is not affiliated with the authors of this message nor responsible for its content.
© opensubscriber 2010
All rights reserved.

Alternate link - Alternate link