Re: [SLE] chkroot claims top infected
From: David Herman (mesamoo115_at_comcast.net)
Date: 02/02/04
- Previous message: Sid Boyce: "Re: [SLE] CDRTools compile errors on 9.0 SOLVED!"
- In reply to: Thomas Jones: "Re: [SLE] chkroot claims top infected"
- Next in thread: David Herman: "Re: [SLE] chkroot claims top infected"
- Reply: David Herman: "Re: [SLE] chkroot claims top infected"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
To: suse-linux-e@suse.com Date: Sun, 1 Feb 2004 16:47:28 -0800
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Sunday 01 February 2004 10:07 pm, Thomas Jones wrote:
- ------------snip---------------
>
> A couple notes:
>
> Have you checked your system logs?
Didn't see anything terribly unusual (things in the log before the
installation date look pretty much like they do after the install date)
but I don't nescessarily know what I'm looking for.
>
> Did you have wither an tripwire or AIDE database prior?
Niether, I have not gotten that far with my understanding of linux (I'm
still trying figure out how to set up Samba between my 2 machines.) The
Amiga I had before moving to linux didn't really have such tools
available.
>
> Check for deleted(possibly trojaned) executables via:
>
> # file /proc/[0-9]*/exe|grep '(deleted)'
No result from this command
>
> Also extract the binary version from the installation CD of ps,ls,who
> ----- commonly trojaned executables onto a floppy from another
> system. Write protect it!
>
> Then perform a compare of the valid(floppy) version against the
> possibly trojaned executable via:
>
> # cmp /media/floppy/valid_exec /bin/trojan_exec
>
> This will do a byte-by-byte comparison of both executables.
I'll give it a try. It sounds like Arjen, Ivan and Richard have done
quite alot of examination of the problem file.
> You can search for the debugging symbols from the "trojaned"
> executable via:
>
> # nm trojan_exec | more
I've got the "Good" previous versions of the command back on my machine
currently so the output is what would be expected
> Also check for any ascii text in the executable via:
>
> # strings -a trojan_exec | more
Thanks for the ideas Thomas, I'll file those commands away for future
reference.
ps. I sent some info from this thread to the suse-security list this
afternoon as Gar and Alex suggested. I'll pass along any definitive
results that come from that.
See ya
- --
dh
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQFAHZ4lBwgxlylUsJARAqTXAJ4gB3Y6LwK22pSogDoHsER+JK4loACeM03m
sHEbLe2i5mqf6Q5kp556zls=
=hcQ4
-----END PGP SIGNATURE-----
-- Check the headers for your unsubscription address For additional commands send e-mail to suse-linux-e-help@suse.com Also check the archives at http://lists.suse.com Please read the FAQs: suse-linux-e-faq@suse.com
- Previous message: Sid Boyce: "Re: [SLE] CDRTools compile errors on 9.0 SOLVED!"
- In reply to: Thomas Jones: "Re: [SLE] chkroot claims top infected"
- Next in thread: David Herman: "Re: [SLE] chkroot claims top infected"
- Reply: David Herman: "Re: [SLE] chkroot claims top infected"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
