[plug] Scary Stuff

Steve Grasso steveg at calm.wa.gov.au
Thu Dec 6 12:53:42 WST 2001


Adrian,

I assume you're asking what the chances are that you've been cracked, based 
on the appearance of a strange directory entry under /etc/init.d.

So, as Brad asked, what's in it? Boot the machine from a rescue floppy, or 
from Tomsrtbt. /etc/init.d is probably under the root directory, so mount the 
root directory on a suitable mount point and inspect /etc/init.d/? from 
there. This way you'll be using the ls binary from the bootdisk distro rather 
than from your machine, so if you have been root-kitted ls will report 
correctly. From /mount-point/etc/init.d use ls -alb $'\077' which will list 
all files, including files with non-printable characters. (BTW 077 is ? in 
octal). Once you've seen what's in the directory, you can decide what 
additional steps you need to take (if any).

HTH,
Steve

On Thursday 06 December 2001 12:01, AWoodley at IINet.net.au wrote:
> G'Day,
>     I've recently found a directory titled "/etc/init.d/?". I'm pretty
> sure that it shouldn't be there. Is this just a filesystem error
> (Reiserfs) or something more sinister? I'm thinking it might be time to
> take a CD image of the /etc directory and torch the lot...
> *Sigh*, more downloads... (curse stupid telstra and its slack-arse
> phonelines around the hills and its lack of adsl!).
>
> Any comments, advice?
>
> Regards,
> Adrian



More information about the plug mailing list