Re: Help with virus/hackers

From: Alan Cox (
Date: Thu Apr 17 2003 - 09:12:35 EST

On Iau, 2003-04-17 at 14:55, Richard B. Johnson wrote:
> (2) Boot with init=/bin/bash

Doesnt help you
> (5) Examine /etc/inetd.conf (if one exists). If you see an
> unusual entry near the end, you have been 'rooted'. Newer
> systems use xinetd and won't get invaded this way.
Wrong. Old xinetd < 2.3.10 has remote root exploits and real
ones circulate
> (6) Check /etc/passwd for a strange account.
Rootkits patch other stuff
> (7) Check /bin/login for a new file-date.
> (8) Check /usr/sbin/sendmail for a new file-date.
> Check /usr/sbin/inetd ""
> Check /usr/sbin/xinetd ""
> Check /usr/sbin/syslogd ""
> Check /usr/sbin/klogd ""
> Check /usr/sbin/in.* ""

Rootkits know about avoiding this

> If none of these have recent writes, just change the password on
> the root account and be happy. You just has some file-system
> corruption and you can fix up /etc/DIR_COLORS (for your color-ls
> problem) and fix /etc/profile or /root/.bashrc, /root/.profile
> to fix the bad environment variables created by these scripts.

Never do this. You don't know what else has changed on the system. You
should always (barring odd exceptions) do a full reinstall. Also clean
user executable files if neccessary (roots .login is often archived and
people rerun exploits from it...)

See the cert documents on recovering from an attack

To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
More majordomo info at
Please read the FAQ at

This archive was generated by hypermail 2b29 : Wed Apr 23 2003 - 22:00:21 EST