[NTLUG:Discuss] root can not edit hosts.deny file
Richard Strittmatter
richard at mesh.net
Tue Jun 17 13:52:49 CDT 2003
Also check in the /dev directory.
A LOT of rootkits will put data directories there. Newer ones
are also using /usr/share
> -----Original Message-----
> From: discuss-bounces at ntlug.org
> [mailto:discuss-bounces at ntlug.org] On Behalf Of Bug Hunter
> Sent: Tuesday, June 17, 2003 1:31 PM
> To: NTLUG Discussion List
> Subject: Re: [NTLUG:Discuss] root can not edit hosts.deny file
>
>
>
> what is important here is to use another "ls" to do the
> looking with.
> Try copying the ls from another machine, or using the "files"
> command, as
> that one is often overlooked.
>
> Your "ls" will be "fixed" to prevent it from showing root
> kit stuff, if
> your box is compromised.
>
> Sometimes, something like busybox, which has its own built
> in commands
> can be used to look around with.
>
> You might want to boot with knoppix and mount your hard
> drive and then
> look around on it. The ls on knoppix will not be flawed.
>
> bug
>
>
> On Tue, 17 Jun 2003, Kenneth Loafman wrote:
>
> > m m wrote:
> > > Hi All:
> > >
> > > Thanks for the tip.
> > > I have checked all files ind /var, /etc directories, the
> > > /etc/hosts.deny
> > > is the only file was set to i.
> > > what is the possibility that the box has been "rooted"?
> > >
> > > what are the other files that the hacker like to modify/changes?
> >
> > Look primarily in the executables directories:
> >
> > /bin/*
> > /lib/*
> > /sbin/*
> > /usr/bin/*
> > /usr/lib/*
> > /usr/sbin/*
> > /usr/local/bin/*
> > /usr/local/lib/*
> > /usr/local/sbin/*
> >
> > in particular:
> >
> > ls
> > ps
> > find
> > top
> > gtop
> >
> > or, any file that shows process state (to keep the task hidden) or,
> > any file that shows filesystem state (to keep the files hidden)
> >
> > Some crackers have the tools to modify the RPM database so a
> > comparison
> > between what they installed and what the database shows is
> the same. I
> > don't know about DEB.
> >
> > ...Ken
> >
> >
> >
>
>
> _______________________________________________
> https://ntlug.org/mailman/listinfo/discuss
>
More information about the Discuss
mailing list