Rick Moen <rick@linuxmafia.com> wrote:
> Lenny G. <alengarbage@yahoo.com> wrote:

> [Intruders entered via a guessed username/password pair.]

>> Luckily, the attacker wasn't able to compromise anything else on the
>> system -- they weren't able to get a local root elevation and the
>> system is otherwise (verifiably) intact (thank you rpm -Va!).

> You sure about that?

Yes - it does sound a little as though he has an adore module
installed. He DOES want to boot from a live cd, get chkrootkit,
and run it on the disk, mounted under /mnt.

He wants to avoid his normal init sequence, as the files will have been
doctored to install the module at each boot. A simple ls -lr on the
init scripts can show the trail, but it's generally sysklogd's script
which has had the extra lines added.

> 2b. My recollection is that the check also excludes many (all?) package
> configuration files; otherwise, there would be lots of false positives
> caused by normal sysadmin-created local machine configuration data.

Makes sense. But if it's an adore module the checksums will be correct
anyway. Neither he nor the chechksummer will see the REAL files.

> You have to make a judgement call as to whether you think your system
> has been root-compromised. Tough one. It might help to install your
> distro onto a second machine and compare all the PAM-related files you
> can find, between the hosts.

Only after avoiding his own init sequence!

Peter