[NTLUG:Discuss] root can not edit hosts.deny file
Bug Hunter
bughuntr at one.ctelcom.net
Tue Jun 17 13:30:42 CDT 2003
what is important here is to use another "ls" to do the looking with.
Try copying the ls from another machine, or using the "files" command, as
that one is often overlooked.
Your "ls" will be "fixed" to prevent it from showing root kit stuff, if
your box is compromised.
Sometimes, something like busybox, which has its own built in commands
can be used to look around with.
You might want to boot with knoppix and mount your hard drive and then
look around on it. The ls on knoppix will not be flawed.
bug
On Tue, 17 Jun 2003, Kenneth Loafman wrote:
> m m wrote:
> > Hi All:
> >
> > Thanks for the tip.
> > I have checked all files ind /var, /etc directories, the /etc/hosts.deny
> > is the only file was set to i.
> > what is the possibility that the box has been "rooted"?
> >
> > what are the other files that the hacker like to modify/changes?
>
> Look primarily in the executables directories:
>
> /bin/*
> /lib/*
> /sbin/*
> /usr/bin/*
> /usr/lib/*
> /usr/sbin/*
> /usr/local/bin/*
> /usr/local/lib/*
> /usr/local/sbin/*
>
> in particular:
>
> ls
> ps
> find
> top
> gtop
>
> or, any file that shows process state (to keep the task hidden)
> or, any file that shows filesystem state (to keep the files hidden)
>
> Some crackers have the tools to modify the RPM database so a comparison
> between what they installed and what the database shows is the same. I
> don't know about DEB.
>
> ...Ken
>
>
>
More information about the Discuss
mailing list