changing root pbuttword with Knoppix 928

Maybe you've got a specially built Linux installation where pbuttwd(8) is a statically linked binary that just makes kernel calls. On my systems, pbuttwd is built the same way everything else is, so it links at run time to the commonlib-libc.so.6 which is a symlink to libc-2.3.2.so. That's one of the executables most likely to be messed with, because just about everything uses it. Likewiselib-ld-linux.so.2. pbuttwd is a pretty good candidate, too, because the intruder may want to steal pbuttwords as they are changed.

This intruder is most plausibly using a root kit, not starting from scratch on this particular victim's box. The first goal of the root kit is not to be detected. The next goal is to *keep* control of the compromised box. They've most likely messed with *every* utility you might use to reclaim the box. That's everything you could use to try to copy in uncompromised files from another machine. Everything that might help you see the root kit's parts. Everything you might use to change access authorizations. Not just pbuttwd, butlib-libpam.so.0 andusr-sbin-sshd. That's what root kits are *for*.

Cameron

-- NewsGuy.Com 30Gb $9.95 Carry Forward and On Demand Bandwidth