This friend of mine got rooted we think. She had an unpatched old RH 7.3 system and it had a iffy video card anyway and it wouldn't boot from any CDROM's any more so it wasnt being used much That's probably why she didn't upgrade it. then one day she turned it on, got on the internet and was running. She needed to do a su and the response was "segementation fault." yeah right. I don't think so. She quit aall apps, saved all files. She tried to shut it down with the software and it wouldn't let her. It kicked her back into her login. So she logged back in and checked to see if her files were still there. at that time they appeared to be OK. So she yanked power to the machine. After yanking the eth cable she later tried to cold boot and the cold boot hung. OK we think the kernel is probably toast and we don't care because we needed to upgrade anyway. But she would like to get the files, particularly the ones she just updated when she discovered the intrusion.

We removed the hacked hard drive and put it in another box and booted from a Knoppix CD. now the home directory for this user is showing up "locked" and we don't know how to get into it. Any ideas? What rootkit leaves this particular footprint?

Why do you think she got rooted? To me, your story sounds like that of a computer with bad RAM.

And the "locked" folder? I think that is the GUI way of displaying that you cannot write there perhaps? Did you try a terminal and "ls -la" to check the contents?

Eric

and a bad video card AND both CDROM's not bootable.. what a P.O.S. eh? I'm not physically there right at the moment, so can't answer your question. But I think she knows enough to try ls -al. Would be nice if that's all it was.

She just called back to report that she burned a CD of all her files. I don't know whether she was really rooted or not or why she couldn't get them or thought she couldn't. But she's wiping the drive now... so I guess it doesn't matter. and I got her set up with a new video card and some more RAM. Thanks. it's always a good day when data is saved.

it's always a good day when data is saved.
It's common for some rootkits to try and piggyback on system binaries (like Knark and /sbin/init) so I sure hope "saved data" only means userfiles from /home, configfiles from /etc and logfiles from /var and not any system binaries. *If* a system got cracked system binaries should *not* be trusted and used, unless you've got an isolated (disconnected) sandbox to check stuff on.

My friend was only interested in saving her original data. The system binaries were all old & out of date anyway and she hasinstall CD's for any software she really cares about.
She's a gimp artist so she had
mainly graphics and her normal emails bookmarks and stuff. Maybe the bad guys embedded steganography in her artwork, but I seriously doubt it.

Just out of interest did she re-install to something more recent than RH7.3? Her unpatched RH7.3 will probably just get cracked again and I'm sure she'd appreciate the newer versions of GIMP that are in more modern distros such as Fedora, Mandriva or Suse

apparently she had tried to upgrade ages ago but her cdrom drive wouldn't boot the fc4 cd so she put it off. while I had it open i popped in a newer CD drive now shes happily bashing away
on fc4 and yes she does like the new gimp