Subject: Re: system possibly compromised
To: None <rgfisch@excite.com, netbsd-help@netbsd.org>
From: Andy R <quadreverb@yahoo.com>
List: netbsd-help
Date: 02/24/2004 13:51:26
--- Roger Fischer <rgfisch@excite.com> wrote:
> 
> How can I determine if a root-kit has been installed
> or my system has been
> compromised in some other way?

This is by no means a complete solution, but if you
are positive you have a stock 1.6.1 userland, install
1.6.1 on another machine (preferably not on the
internet), and do checksums on the "usual suspects"
such as netstat, find, ls, ps, cron, etc. If those are
OK, you have a really good chance that you didn't get
rooted as far as covering up tracks are concerned.

>     13252   296   296 9a1f80    0 I    ??   0:00.01
> /USR/SBIN/CRON (cron)

I don't recall ever seeing a full path like that in
all caps. That is strange. If it didn't exist before,
then you need to look into that.

If you reasonably know what you did to your possibly
rooted machine, run find / > findfile.out on both
systems and then diff them. Also ls -laR / >
ls-laR.out. It's going to take a while to look through
all that, but if you see things that obviously don't
belong, investigate.

If you are being told you are sending spam, then build
lsof (in pkgsrc I believe) and run it in intervals
with a script and compare it to netstat -a output
(assuming netstat hasn't been wrapped). That might
help you figure out who's doing the sending.

Andy

__________________________________
Do you Yahoo!?
Yahoo! Mail SpamGuard - Read only the mail you want.
http://antispam.yahoo.com/tools