LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 11-12-2004, 04:54 PM   #1
DigaMe
LQ Newbie
 
Registered: Aug 2004
Posts: 2

Rep: Reputation: 0
Is '/usr/bin/find' reliable if '/bin/ls' has been replaced?


I have a system running RH9 which appears to have been compromised. I believe /bin/ls has been replaced with a "customized" version to confound attempts at inspecting the system. I am using /usr/bin/find (which appears to have been left alone) in order to identify all files which have changed since the time of the compromise (I don't think the intruder was clever enough to hide the footprints he left in the modifcation times of the files). My concern is that, if find relies upon ls, its output may also be unreliable.

Thanks for your help!
 
Old 11-12-2004, 06:41 PM   #2
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,164

Rep: Reputation: 330Reputation: 330Reputation: 330Reputation: 330
I'm pretty sure that find just calls the stat system call directly, without interpreting ls results. However, if you suspect binaries have been replaced, you really ought to boot of known good media such as a rescue CD and then run a rootkit detector.
 
Old 11-12-2004, 11:42 PM   #3
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
You can try using rpm -Va to verify the integrity of system files (assuming that the md5sum and rpm binaries haven't been replaced either). Probably the best way to verify is to use a cdrom-based distro like knoppix and mount the potentially compromised drive read-only. Then calculate md5sums and compare to the "normal" versions. If your system has been compromised, then you will need to reformat the drive and re-install completely (don't reinstall from a backup). Simply replacing trojaned versions isn't a safe way to recover from a security compromise.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
sudo /usr/bin/chroot /home/chroot /bin/su - xxx| /bin/su: user xxx does not exist saavik Linux - General 3 07-04-2007 11:30 AM
Installing .bin-files, leave the file in /usr/local/bin/ ? lagu2653 Linux - Software 1 11-08-2005 09:30 PM
path in services wrong for clamav updated frm 0.75 to 0.80 usr/bin vs usr/local/bin Emmanuel_uk Linux - Newbie 3 04-22-2005 02:02 AM
/usr/bin/ld: cannot find -lc aa2bi Linux - Newbie 2 06-09-2004 07:32 AM
bin/bash:usr/bin/lpr NO SUCH FILE OR DIRECTORY Adibe_Hamm Linux - Newbie 3 10-14-2003 03:30 AM


All times are GMT -5. The time now is 11:45 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration