|
Compromised Slackware 9.1
Hi folks,
I found (using rkhunter) that the SuckIT rootkit had been applied to one of my older machines, running Slackware 9.1. I've removed all traces that I can find, but it seems that: /sbin/init /sbin/file are not from the original distro. Hashes don't match and I'm thinking that they need to be restored to their original install state. Does anyone know where I can obtain these? Thanks in advance for any/all comments. Regards, ~Ray |
Look at http://packages.slackware.it/browse.....1/slackware/a . Init program should be in sysvinit-2.84-i486-36.tgz package. But /sbin/file is more interesting - you can find File program in bin-8.5.0-i386-1.tgz package, but it is commonly installed in /usr/bin directory, not in /sbin ...
|
achu,
Thank you! Thank you! This is exactly what I was hoping to find. Best regards, ~Ray |
Quote:
~R |
Quote:
~R |
Yes, installation script will move /sbin/init.new to /sbin/init.
|
Achu, that's some seriously ill advice. If you never handled incidents like this please let somebody who does know handle it. If both of you would have searched this forum you would have found more than enough threads handling incidents. None of them talk about overwriting binaries with sane copies.
There's simple procedures for determining and recovering from a compromise. Thoroughly verifying the integrity of your system should be your first task, followed by finding out how the box got compromised. Restoring packages before doing any of that can and will destroy "evidence". Read these, act on them and then ask: - Intruder Detection Checklist (CERT): http://www.cert.org/tech_tips/intrud...checklist.html - Steps for Recovering from a UNIX or NT System Compromise (CERT): http://www.cert.org/tech_tips/root_compromise.html |
Thank you for the links. I have not overwritten anything and won't until I've a full understanding of what's happened. I do appreciate all the input!
Regards, ~Ray |
| All times are GMT -5. The time now is 01:17 AM. |