1 |
On 2009-08-08, pk <peterk2@××××××××.se> wrote: |
2 |
> Grant Edwards wrote: |
3 |
> |
4 |
>> That's what I thought back when I was using dialup on a Linux |
5 |
>> box that didn't have any servers running. Then one day I got |
6 |
>> root-kitted. |
7 |
> |
8 |
> This may be off-topic but I'm curious about the details. Can you please |
9 |
> elaborate? |
10 |
|
11 |
Well, it was probably about 9 years ago, but here's the way I |
12 |
remember it: |
13 |
|
14 |
It started when I noticed the modem's RX/TX lights were |
15 |
flashing when there was no reason for them to be doing so (I |
16 |
was in the habit of keeping an eye on them to make sure the |
17 |
connection was working OK). When I did a netstat, it showed |
18 |
active network connections that shouldn't have been there, but |
19 |
ps didn't show the processes that netstat said had connections |
20 |
open. The "ps" binary had been replaced with a hacked version. |
21 |
IIRC, so had the "lsof" binary because it didn't show the |
22 |
processes that had the connections open either. |
23 |
|
24 |
I was running an RPM-based installation at the time (RH 6 or 7 |
25 |
I believe), and and an rpm "verify" command failed for a |
26 |
handful of system related binaries (among them ps and lsof): |
27 |
they weren't the same files that rpm had installed. |
28 |
|
29 |
The /proc filesystem was still complete, so I was able to track |
30 |
down the suspect processes and find out what binaries they were |
31 |
running. The binaries were very oddly named files in very |
32 |
strange places. A web search for their names told me that they |
33 |
were part of a rootkit that was used to remotely exploit Linux |
34 |
machines. |
35 |
|
36 |
I shut down the machine, rebooted from a liveCD, backed up some |
37 |
user files, and did a clean install -- after which I signed up |
38 |
for DSL and a Cicso 675 modem/router. |
39 |
|
40 |
It was a very sobering experience... |
41 |
|
42 |
-- |
43 |
Grant |