John is the network administrator of XSECURITY systems. His network was recently compromised. He analyzes the logfiles to investigate the attack.
Take a look at the following Linux logfile snippet. The hacker compromised and “owned” a Linux machine. What is the hacker trying to accomplish here?
[root@apollo /]# rm rootkit.c
root@apollo /]# [root@apollo /]# ps -aux | grep inetd ; ps -aux | grep portmap ; rm /sbin/portmap ; rm /tmp/h ; rm /usr/sbin/rpc.portmap ; rm -rf .bash* ; rm -rf /root/.bash_history ; rm – rf /usr/sbin/namedps -aux | grep inetd ; ps -aux | grep portmap ; rm /sbin/por359 ? 00:00:00 inetd 59 ? 00:00:00 inetd
m: cannot remove `/tmp/h’: No such file or directory
m: cannot remove `/usr/sbin/rpc.portmap’: No such file or directory [root@apollo /]# ps -aux | grep portmap
root@apollo /]# [root@apollo /]# ps -aux | grep inetd ; ps -aux | grep portmap ; rm /sbin/portmap ; rm /tmp/h ; rm /usr/sbin/rpc.portmap ; rm -rf .bash* ; rm -rf /root/.bash_history ; rm – rf /usr/sbin/namedps -aux | grep inetd ; ps -aux | grep portmap ; rm /sbin/por359 ? 00:00:00 inetd
m: cannot remove `/sbin/portmap’: No such file or directory
m: cannot remove `/tmp/h’: No such file or directory
>rm: cannot remove `/usr/sbin/rpc.portmap’: No such file or directory root@apollo /]# rm: cannot remove `/sbin/portmap’: No such file or directory