missing /bin directory

Erich Schrottke sharky at websharx.com
Thu Mar 8 12:08:47 PST 2001 

Thanks everyone so far! 

OK got Tom's bootdisk to work (thanks John), and I was able to kinda
recreate my old setup by mounting things in appropriate places by looking
at my old /etc/fstab file.

I appreciate the advice Warren, I'm definately doing a fresh RH6.2 install
and just moving my home directories after this.

Not sure if anyone else is interested in this, but I'm trying to document
what I've found and am doing in case it might be of help to others. If I'm
way off base please just let me know and I'll stop updating my progress to
the list.

---------------------------

Once I recreated directories I started looking around for differences. And
noted the following:

* /bin is gone (duh)

* There's a new eggdrop directory in / tagged about 6:15am this morning (I
got up and on my box at about 6:30am and first cron errors started about
6:45..musta saw me go active or something)

* In /tmp there's some new files, most specifically one called su.c that
looks to have been compiled and run..successfully I'd think (big duh)

* additionally there's a .bash_history in /tmp as well.

* Unfortunately, jumping into the /var/log directory reveals absolutely
squat! I can't find any entries  for 3/8/1 at all....nothing in
messages, secure, or xferlog that might indicate anything funky.

* The eggdrop directory has a egg.txt file that was edited at 6:20am and
settings look to have been configured.

* There's a new directory in /home, and from looking at the .bash_history
files, at least 1 has been created and deleted.

I have a feeling I might have just walked in on this guy as he was
beginning to 'own' me. (thank God!)

Here are my thoughts at this point:

1) Re-installing a new setup is annoying, and time consuming but always
educational :) I'm smiling cuz I will try and learn from this as always.

2) I'm concerned about how he possibly got in. I'd certainly like to
prevent it from happening in the future. I know that TELNET was disabled,
but ftp, apache (fp extensions and cgiemail only scripts running), sshd,
named, mysql, and basic services running. But other than looking at logs
and history files, I'm unsure of where to go next. Any advice on what else
to check for to try and find the entry point?

*NOTE: Is leaving an inactive SSH connection up (it was running pine) to a
box within your same local subnet a security risk?

3) Chasing the culprit down? There's some outgoing FTP connections to at
least two sites that I can see, is there any value in trying to trace this
further?

Well thanks to all who've responded so far, and sorry for the bandwidth
waste for those of you this may be boring to death. I'd like to learn from
this with help from those more experienced, but also share what I'm
learning for those who haven't had this particular joy yet.

Any advice on the thoughts above, as always much appreciated!

Thanks!
	Erich



On Thu, 8 Mar 2001, Warren Togami wrote:
> I would highly suggest that you do a complete backup and install Linux from
> scratch.  That is the only way to make sure that your system will be
> completely clean.  Once your new system is running, restore the backup to
> another directory tree then copy over your personal files.
> 
> Also please use Redhat 6.2 or 7.0.  It will be an uphill battle to secure
> your 6.0 installation again.  6.2 and 7.0 have the benefit of up2date.  No
> more downloading packages from mirrors and such.  You can also use Ximian
> Update or Ximian Red Carpet to update your operating system packages.  Red
> Carpet is only beta right now, but it will soon become the best updater for
> Redhat installations, rivaling apt-get in its dependency resolution and ease
> of package maintenance.
> 
> Also, if you use Redhat 6.2 or 7.0, IMMEDIATELY SHUT OFF ALL SERVICES after
> your install, then update.  Both are susceptible to the "Ramen worm" that
> crack through the vulnerable lpd and wuftpd daemons.
>

More information about the LUAU mailing list