Challenge: How Did These Processes Get Here?
Every now and then I like to issue challenges to my readers. This week you have another chance to test your wits against a problem, but the rewards are higher. Instead of a measly postcard, the winner will get a copy of Hacking Linux Exposed, Second Edition. I'll pick the winner from those who figure out the problem, based on the quality of the analysis of the problem described below. Anyway, onto the problem.
A user wrote me in a exasperated state. His machine had been cracked (his root password was less than stellar) and the cracker had installed various user-level rootkits and software. He had done a good job of removing the rootkits and cracking tools. When booting off CD (thus with no chance for any kernel modifications) he could see that there was nothing left that hadn't been accounted for. All the /etc/rc?.d directories were as they should be, no suspicious entries in /etc/xinetd.conf or /etc/xinetd.d.
He had no file integrity tools on this system (Tripwire, AIDE, etc) but he did verify each and every file that had a modification date and/or change date from the time the cracker entered, and nothing suspicious was in them.
[ Read more ]