[ILUG-BOM] Linsniffer !
Mon Jun 25 22:01:02 IST 2001
On Fri, 22 Jun 2001, Benoy George spewed into the ether:
> Hi Everybody
> somebody sniffed our local network!
huh? Someone else had root on at least one of your machines?
> that automatically generated mail on our RH 6.1 server (posted earlier)
> was generated by linsniffer only.
> I found the same mail generated to another
> address max_003_2000 at yahoo.com
> with subject "F the rwetter"
> he replaced the netstat,ifconfig,top,ps to some
> older version created on Sep 26 1983.
Looks like a standard rootkit. Dates can be changed, there are programs
available to do that,'
> chor is here n /dev/ida/.inet
You mean cracker
> ls -l /dev/ida/.inet
<snip rootkit detauls>
> how can I find more details like who is this sniffer and when he enter in to
> our m/c?
How much damage did you do to the machine?
If you haven't messed around much, make a bitwise backup of the machine
to a clean hard disk( by clean I mean run
dd if=/dev/zero of=/dev/hd<whatever> bs=512
Then after you have a backup of the disk, make a copy to do your
research on. Look in the archives of the incidents list at
http://securityfocus.com to see if someone has got hit by the rootkit
before. Run strings on the second copy of the image to see details. You
should be able to see erased logs, and such details (if it is not too
> Any way I am very happy to learn about all these things.
> thankyou linsniffer. As a layman this is good experience for me.
http://securityfocus.com. Quite a few good security lists there
> waiting for more comments on security issues, hacking and
BTWm rebuild that compromised machine, install all patches, and then
install tripwire. Replace Bind by DJBDNS, Sendmail by Postfix or Qmail
(simply because sendmail is too complex). [Note: Do *not* install any
software that you do not run, what is not installed cannot be
The difference between reality and unreality is that reality has so
little to recommend it.
-- Allan Sherman
More information about the Linuxers