|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: I've been hit with ksyslogd
From: David D.W. Downey (david.downey
CODECASTLE.COM)Date: Fri Oct 13 2000 - 13:46:03 CDT
- Next message: David D.W. Downey: "Re: nmap"
- Previous message: Joel Sing: "Re: Newbie: what does this mean?"
- In reply to: Chris Jones: "Re: I've been hit with ksyslogd"
- Next in thread: Daniel P. Zepeda: "Re: I've been hit with ksyslogd"
- Reply: David D.W. Downey: "Re: I've been hit with ksyslogd"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Based on the later emails that I've read, based upon the fact that Chris
is correct that Red Hat loads it from it's own rc file, and that you also
have a timestamp showing a login in the logs at the same timestamp period
as that on your binary and inittab, I would WHOLE HEARTEDLY agree with
Chris that it's a bad binary.
I woudl be so bold as to go one step further and suggest that you
THOROUGHLY audit the system. Usually, when a cracker replaces a specific
binary like that it's part of a root kit. I would suggest that you check
the entire system for other trapped binaries. If you are in a corporate
production environment, image the system so you can dump it to a NON
PRODUCTION machine to investigate what happened, then wipe the affected
system, then reinstall a KNOWN working/secure image.
On Fri, 13 Oct 2000, Chris Jones wrote:
> Hi
>
> > Well, I'm not sure it's kernel daemon.
>
> I suspect you are probably right
>
> > Maybe he has named his daemon like the logger.
>
> That sounds very likely
>
> > In all my pc I run Rh6.2 but none of them contains the line:
> > ld:2345:respawn:/usr/sbin/ksyslogd
>
> To me that is the absolute giveaway that it is something that shouldn't be
> there. RedHat don't start the kernel logger from inittab, rather from it's
> own rc script (/etc/rc.d/init.d/syslog - starts klogd and syslogd).
>
> For those who aren't convinced, this is from a stock RH6.2 box:
>
> -(rootshogun)-(/etc)- grep -r ksyslogd *
> -(rootshogun)-(/etc)-
> -(rootshogun)-(/etc)- locate ksyslogd
> -(rootshogun)-(/etc)-
>
> So, unless you (or someone else there) has specifically installed a ksyslogd
> package, this is probably a crack.
> I would leave the service disabled and investigate the ksyslogd binary.
>
> --
> Chris Jones
> Sysadmin
> ICM Group
>
> Anything I say is probably not the opinion
> of my employers, the spineless bastards.
>
-- David D.W. Downey Red Hat Certified Engineer | Internet Security Specialist KiXO Linux http://www.KiXOLinux.com | http://sourceforge.net/projects/kixolinux Member OSWG, LPI http://www.owsg.org | http://www.lpi.orgResume: http://www.brainbench.com/transcript.jsp?pid=96113 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- "Any lad can choose the mundane, but tis the explorers that are truly free in choice!"
- Next message: David D.W. Downey: "Re: nmap"
- Previous message: Joel Sing: "Re: Newbie: what does this mean?"
- In reply to: Chris Jones: "Re: I've been hit with ksyslogd"
- Next in thread: Daniel P. Zepeda: "Re: I've been hit with ksyslogd"
- Reply: David D.W. Downey: "Re: I've been hit with ksyslogd"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]