| 1 |
On 2009-08-08, pk <peterk2@××××××××.se> wrote: |
| 2 |
> Grant Edwards wrote: |
| 3 |
> |
| 4 |
>> That's what I thought back when I was using dialup on a Linux |
| 5 |
>> box that didn't have any servers running. Then one day I got |
| 6 |
>> root-kitted. |
| 7 |
> |
| 8 |
> This may be off-topic but I'm curious about the details. Can you please |
| 9 |
> elaborate? |
| 10 |
|
| 11 |
Well, it was probably about 9 years ago, but here's the way I |
| 12 |
remember it: |
| 13 |
|
| 14 |
It started when I noticed the modem's RX/TX lights were |
| 15 |
flashing when there was no reason for them to be doing so (I |
| 16 |
was in the habit of keeping an eye on them to make sure the |
| 17 |
connection was working OK). When I did a netstat, it showed |
| 18 |
active network connections that shouldn't have been there, but |
| 19 |
ps didn't show the processes that netstat said had connections |
| 20 |
open. The "ps" binary had been replaced with a hacked version. |
| 21 |
IIRC, so had the "lsof" binary because it didn't show the |
| 22 |
processes that had the connections open either. |
| 23 |
|
| 24 |
I was running an RPM-based installation at the time (RH 6 or 7 |
| 25 |
I believe), and and an rpm "verify" command failed for a |
| 26 |
handful of system related binaries (among them ps and lsof): |
| 27 |
they weren't the same files that rpm had installed. |
| 28 |
|
| 29 |
The /proc filesystem was still complete, so I was able to track |
| 30 |
down the suspect processes and find out what binaries they were |
| 31 |
running. The binaries were very oddly named files in very |
| 32 |
strange places. A web search for their names told me that they |
| 33 |
were part of a rootkit that was used to remotely exploit Linux |
| 34 |
machines. |
| 35 |
|
| 36 |
I shut down the machine, rebooted from a liveCD, backed up some |
| 37 |
user files, and did a clean install -- after which I signed up |
| 38 |
for DSL and a Cicso 675 modem/router. |
| 39 |
|
| 40 |
It was a very sobering experience... |
| 41 |
|
| 42 |
-- |
| 43 |
Grant |
Archives