[oclug] Follow-up: ifconfig and netstat exist but don't?? ( please help... )

Matt Rose mattrose at folkwolf.net
Wed Mar 6 10:06:25 EST 2002 

It looks a LOT like somebody has installed a Rootkit (not a very good one,
at that), that probably doctored ls.  Since you're running redhat, I
suggest you go to your redhat site and grab a known good copy of the
fileutils RPM, and force the install of that, and see if you get the same
results.  If you don't get the same results as below, rpm has an option to
verify packages, and if a rootkit has been installed, it'll definitely
show up.


--------------------------------------------------------------------------
Matt Rose        mattrose at folkwolf.net          FolkWolf Consulting
This restaurant was advertising breakfast any time. So I ordered french
toast in the renaissance. - Steven Wright, comedian

On Wed, 6 Mar 2002, Mike wrote:

> Well, here we go; The computer I run uses Redhat 7.2
>     this is a sample of the output I have been getting:
> -----------------------------------------------------------------------
> [root at host /]# ls -alF /bin/netstat
> -rwxr-xr-x    1 root    root    35300 Sep 25    1983 /bin/netstat*
> [root at host /]# ls -alF /sbin/ifconfig
> -rwxr-xr-x    1 root    root    19840 Sep 25    1983 /sbin/ifconfig*
> [root at host /]# file /bin/netstat
> /bin/netstat: ELF 32-bit LSB executable, Intel 80386, version 1,
> dynamically linked (uses shared libs), stripped
> [root at host /]# file /sbin/ifconfig
> /sbin/ifconfig: ELF 32-bit LSB executable, Intel 80386, version 1,
> dynamically linked (uses shared libs), stripped
> [root at host /]# /bin/netstat
> bash: /bin/netstat: No such file or directory
> [root at host /]# file /sbin/ifconfig
> bash: /sbin/ifconfig: No such file or directory
> [root at host /]#
> -----------------------------------------------------------------------
>     b.t.w. this computer is behind a nexland router with
> built in firewall.  FTP and Telnet are currently enabled
> as direct to this box through the router, I'm not sure that
> I have been hacked as there are only 4 acc'ts on this box.
>
> ps.. I did a ls -F in the /, /root, /boot dirs and did not find an empty
> directory....
> also I will attent the Thursday meeting at Rideau, A131 so maybe if you
> want to chat there?
>
> _______________________________________________
> oclug mailing list
> oclug at lists.oclug.on.ca
> http://www.oclug.on.ca/mailman/listinfo/oclug
>

More information about the OCLUG mailing list