MISCELLANEOUS FINDINGS

Running the out-of-sequence-inodes.sh script from Chapter 7 on the /sbin directory revealed nothing interesting. As with our first case, running this script on the /bin directory allows the Xing Yi Quan rootkit to be easily seen. Partial output from this command is shown in Figure 9.29.

FIGURE 9.29

Out of sequence inodes for a recently added rootkit.

After you inform Dr. Potslar of the excessive requests for dns-lookup.php on May 3, he passes this information along to the webmaster. The webmaster then has a look at this code with the help of a friend from the local Open Web Application Security Project (OWASP) chapter which he has recently joined. They discover a code execution vulnerability on this page.