Mike Miller wrote:
> On Sun, 21 Nov 2004, Ryan O'Rourke wrote:
> 
>> Sam MacDonald wrote:
>>
>>> Sounds like you better check to see if you were rooted...
>>
>>
>> I was /really/ hoping no one would say that.
>> uh... Thanks.
> 
> 
> Sadly, I can tell you that I've had similar experiences.  When they 
> break into your system, they'll change the ls and ps binaries so that 
> they don't display certain files or processes that they are trying to 
> hide from you. In my experience, those very attempts to conceal the 
> breakin are sometimes of such poor quality that you detect the bad ls or 
> bad ps binary way before you would have noticed the other stuff they 
> were doing.

Third opinion anyone? Maybe with a better prognosis???

> I keep copies of ls and ps binaries on my system so that I can use them 
> if I think I've been cracked.

I don't understand what good that does if your system has been rooted 
though. Why can't an attacker just change those saved binaries as well?

Well, after booting from a Knoppix cd, mounting my drives, and running 
chkrootkit on them I get "Checking 'su' ... INFECTED". Not a good sign.

Now the question is - how do I go about figuring out how it was done? 
What kind of forensics can I do to turn this into a learning 
experience before I reformat and reinstall?

I'm kind of suspecting that one of my Windows users may be at fault 
here. Is it possible that one of them may have been compromised first 
and then the attacker used a password or key found in WinSCP to 
compromise my system? Or is it more likely the attack just came from 
the Internet directly through my one open port, past my router, past 
my firewall, and breached that way?

Any help appreciated.
Thanks.

-- Ryan

PS. Oh, and speaking of Knoppix - any chance of getting it added to 
our local TCLUG mirror?

_______________________________________________
TCLUG Mailing List - Minneapolis/St. Paul, Minnesota
Help beta test TCLUG's potential new home: http://plone.mn-linux.org
Got pictures for TCLUG? Beta test http://plone.mn-linux.org/gallery
tclug-list at mn-linux.org
https://mailman.real-time.com/mailman/listinfo/tclug-list