Since someone has already answered the ipchains drop/reject issue, I'll take a stab at the potential root kit problem. Since this machine is in an unknown state here is what I would do: 1: From a trusted clean RH7.0 system (same version your friend is running), copy the "md5sum" and/or "sum" to a floppy diskette. 2: Run "md5sum /sbin/* /usr/sbin/* /bin/* /usr/bin/*" and/or "sum /sbin/* /usr/sbin/* /bin/* /usr/bin/*" and redirect the output to a file such as "good.sums.txt" and copy that file to the floppy diskette. 3: Remove the diskette from the floppy drive and write-protect it. 4: Put the diskette into the "suspicious" system and copy all the files to /tmp. 5: Now, using /tmp/md5sum or /tmp/sum, check each file in /sbin, /usr/sbin, /bin, and /usr/bin verifying their checksums with those in the "good.sums.txt" file generated by the clean machine. This isn't a perfect solution since the md5sum and sum will use the libraries off of the infected machine. The most common programs to become infected when a system is root-ed are find, ls, ps, top, netstat, bash, sh, csh, echo, md5sum, sum, diff, etc. A system I once worked on was rooted and the netstat command was compromised. When the bad netstat command was run, it did not show the ports it was listening on. When the bad ps and ls commands were run, they didn't show the back-door processes in memory, nor the special directory names it had them hidden under. A good check is to run the "bad" netstat saving it's output to a file, then copy the good netstat from the clean server and run the clean netstat saving it's output to another file. Then run diff on the two files to see if there is any differences you can't account for. This was my first tip. You could also run "rpm -Va" to check the RPM md5-signature against the md5-signature of the binary on disk. I would suppose that the root-kit writers will start taking this into account and mucking with the rpm database to cover their tracks soon... :( Dan David Correa [mailto:tech@linux-tech.com] wrote: [...snip...] > The worst part was that I tried to use a program i found > called chkrootkit-0.35, that did not find anything until the computer > hung up at "Searching for suspicious files and dirs, it may take a > while..." >=20 > Now if I do a ps it never never completes, i never get > the root # back. The program stooped when it got to > Searching for suspicious files and dirs, it may take a while... > Now the computer does not even respond when i send a reboot > command. >=20 > I tried this chkrootkit-0.35 on other computers and it never did that. >=20 > The guy does not have tripwire or anything like that. >=20 > My guess is that this computer was rooted before i got to it. >=20 > Any feed back is welcomed >=20 > David Correa > Public Key http://www.linux-tech.com/linuxtech.asc > Key fingerprint 7F2C E072 479D 71B4 008B 373E A284 8CDE 7659 F5D8 >=20 >=20 >=20 >=20 > -------------------------------------------------------------- > ---------- > To unsubscribe email security-discuss-request@linuxsecurity.com > with "unsubscribe" in the subject of the message. >=20 >=20 ------------------------------------------------------------------------ To unsubscribe email security-discuss-request@linuxsecurity.com with "unsubscribe" in the subject of the message.
