[OLUG] mtab

Drazak drazak at moongate.net
Tue Dec 14 23:38:24 UTC 1999


Correct.  He could have modified the rpm binary itself to not report
anything funny.  Other nice things to modify include netstat, login,
telnetd, syslogd, anything else that might give him access and then hide
his tracks.  You need to reinstall if this box is going to remain on the
net.

_Drew

On Tue, 14 Dec 1999, Mark Hagler wrote:

> The /net mount point is a "virtual" one that is managed by the automounter.
> When the amd process is running (process 502, in this case) it will provide
> the /net mountpoint as the link between it's kernel drivers and userspace.
> Nobody added this to the mtab, they merely started the automounter process.
> 
> Incidentally, the /etc/mtab file should never be edited by hand.  The mount
> command references and updates this file as you mount and unmount filesystems,
> and it's there so the system can keep track of what filesystems are mounted,
> what devices they are on, and options they were mounted with.
> 
> I would also recommend scrubbing your box after anything has compromised
> the security of it.  If you are using a RedHat box, you can ask rpm to
> verify the packages that are installed.  This will flag any files that have 
> been modified from their originally installed version.  Some files in /etc
> are normal (/etc/passwd for example) but if you see stuff in /bin or /usr/bin
> flagged for any reason, it's probably a bad deal.  Also, if you have a 
> really, really smart hacker, the RPM databse can be modified to make it think 
> that the new checksums on the files are correct, and then the RPM verification
> will not flag anything.
> 
> The only positive way to be sure your box is clean is to re-install it.
> 
> On Tue, Dec 14, 1999 at 12:40:04PM -0600, Todd wrote:
> > 	Can anyone tell me what this entry in the mtab file would cause
> > cx444541-b:(pid502) /net nfs
> > intr,rw,port=1023,timeo=8,retrans=110,indirect,map=/etc/amd.net,dev=00000003
> > 0 0
> > 	When someone gained access to my box they added this line to the mtab file.
> > Just seeing wondered what they were trying to mount.
> > 
> > 
> > -------------------------------------------------------------------------
> > Sent by OLUG Mailing list Manager, run by ezmlm.  http://olug.bstc.net/ 
> > To unsubscribe: `echo unsubsribe | mail olug-unsubscribe at bstc.net` 
> 
> -- 
>   Email is packaged by intellectual weight, not volume. Some
>   settling of contents may have occurred during transmission.
> 
> -------------------------------------------------------------------------
> Sent by OLUG Mailing list Manager, run by ezmlm.  http://olug.bstc.net/ 
> To unsubscribe: `echo unsubsribe | mail olug-unsubscribe at bstc.net` 
> 


-------------------------------------------------------------------------
Sent by OLUG Mailing list Manager, run by ezmlm.  http://olug.bstc.net/ 
To unsubscribe: `echo unsubsribe | mail olug-unsubscribe at bstc.net` 



More information about the OLUG mailing list