I had a problem this morning with a box running SuSE 6.4. It's in a
company's DMZ and for some reason it was rebooted and networking did not
start properly. Investigation (of the remote controlled person kind, given
that the machine was off the air) eventually revealed that the network start
script /etc/rc.d/init.d/network was not the correct SuSE script but rather
was a RedHat version.
This is obviously a little strange and none of those invloved in managing
the machine know anything about it so I'm wondering could it be part of some
rootkit or other. It sounds a very strange to me for a rootkit to do i.e. to
modify a script which won't be run for a long time but maybe it's a way of
ensuring that whatever backdoors might have been installed stay installed
but OTOH it does sound like a typical rootkit behaviour i.e. to assume that
the box being cracked is running RH. Does the behaviour I described ring a
bell with anybody ?
Niall
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
