Behdad Esfahbod's daily notes on GNOME, Pango, Fedora, Persian Computing, Bob Dylan, and Dan Bern!

My Photo
Location: Toronto, Ontario, Canada

Ask Google.

Contact info
Hacker Emblem Become a Friend of GNOME I Power Blogger
follow me on Twitter
July 2003
August 2003
October 2003
November 2003
December 2003
March 2004
April 2004
May 2004
July 2004
August 2004
September 2004
November 2004
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
July 2008
August 2008
October 2008
November 2008
December 2008
January 2009
March 2009
April 2009
May 2009
June 2009
July 2009
August 2009
November 2009
December 2009
March 2010
April 2010
May 2010
June 2010
July 2010
October 2010
November 2010
April 2011
May 2011
August 2011
September 2011
October 2011
November 2011
November 2012
June 2013
January 2014
May 2015
Current Posts
McEs, A Hacker Life
Friday, October 21, 2005
 I can see through your masks

[Announcement: There's a new list: performance-list gnome org. All invited.]

Over the past two weeks I found somebody accessing my departmental Linux account using password and running mallware. The first time it happened, I was in great shock. Fortunately the admins confirmed that password authentication was used, so my precious private key on my laptop was not stolen. So I convinced myself that a friend's Windows machine I used to check mail was the source of the problem. When it happened a second time though, it left only two choices: My laptop, and the Linux box I use to check email when I'm in University of Toronto at Scarborough on Thursdays. It's a professor's office box, not a public box.

Anyway, I investigated the box in question, and indeed it was infected, by a rootkit and lots of other bad things. I didn't have root access, that made investigations a bit harder, but here are a couple of my observations that are worth noting:

Wouldn't /proc/*/cmdline be easier?
Not really. Although /proc/*/cmdline is readable too, it doesn't necessarily contain the absolute path. In this case, it was saying ./john some.ip.addr.ess and there was no file named john on the system (it was deleted.) With the help of maps, I got some names from the absolute path and searched for them, and indeed found where it was hiding.
Post a Comment

<< Archive
<< Home