On Fri, Mar 23, 2001 at 04:34:37PM -0600, Melissa Plunkett wrote:
> > The t0rn rootkit replaces several binaries on the system in order to
> > stealth itself. Here are the binaries that it replaces:
> > 
> > du, find, ifconfig, in.telnetd, in.fingerd, login, ls, mjy, netstat,
> > ps, pstree, top

For people who aren't familiar with rootkits, this means that these
binaries won't show any suspisious processes or files running.

The only box I've seen rootkited with t0rn had a very high port open
running ssh though, so perhaps nmap could tell you something.

If you suspect a box is rooted, get it off the net fast, get some fresh
binaries of the afore mentioned programs and have a dig around. Then
you'll probably want to reinstall, secure and change passwords.

Incidently, if you have a box on a semi-permanent (cable) or permanent
IP address, you should have learnt about securing a box - shutting down
processes and closing ports. If none of those words are familiar to you,
and neither are the words portmap, nfs, or BIND you very probably have a
vulnerable box.


Mary Gardiner
GPG Key ID: 77625870

techtalk mailing list

Reply via email to