[Xastir] WAY off topic - but you guys are my' best resource'

Tom Young tom at twyoung.com
Sat Aug 30 07:59:42 EDT 2003 

Hi, 

You should distrust all programs on your system particularly the ones,
like 'ps', which help indicate what is going on.

Assuming you used ps to list running processes, try running 
	"rpm -V procps"
there should be no output.    

Chkrootkit should have caught a problem with ps, but perhaps
chkrootkit has itself been compromised.  The same could
happen to RPM, of course, but I've not heard of that, yet.
You can just re-install chkrootkit and rpm, if you suspect this
kind of compromise.

You can also run "rpm -Va" but you will have a lot of
output to analyze, so run  something like "rpm -Va > ~/.rpmva.out"

Running "rpm -Va > ~/.rpmvaB.out; diff ~/.rpmva.out ~/.rpmvaB.out " 
periodically will point out changes to your entire installed system, not
just those checked by chkrootkit.

Should this technique, though some misfortune, prove to be patentable, I
hereby grant all licensed amateur radio licensees, a perpetual license
to use and distribute this approach to intrusion detection.  I have used
this approach successfully for years.  I have never seen any reference
to this approach, anywhere.  

Also run up2date -u frequently, to get the latest security updates.

	Good Luck,

		-Tom, KD1UL



On Sat, 2003-08-30 at 03:11, KC7ZRU wrote:
> I found someting distrubing tonite on one of my RH 7.3 boxes. It's setup 
> as a web server. All ports in are blocked with iptables/netfilter except 
> for 80.
> 
> In the /tmp directory - an executable binary called 'telnetd', 
> user=apache group=apache. It was not running. I never install telnetd on 
> anything I setup - ever.
> 
> chkrootkit says "OK" for as far as that goes.
> 
> logs 'look' clean - no obvious gaps, plenty of worm noise to create a 
> backgroud.
> 
> I don't recognize anything else as suspicious.
> 
> Suggestions? Ideas?
> 
> _______________________________________________
> Xastir mailing list
> Xastir at xastir.org
-- 
Tom Young
SoftWare Services
47 MITCHELL STREET
STAMFORD, CT 06902-7832
(203)357-9260
tom at twyoung.com  
ICCA-FW President #21180
http://www.twyoung.com  
ICQ#: 4891876

More information about the Xastir mailing list