[OLUG] mtab

Mark Hagler hagler at th.in.gs
Tue Dec 14 21:34:37 UTC 1999 

The /net mount point is a "virtual" one that is managed by the automounter.
When the amd process is running (process 502, in this case) it will provide
the /net mountpoint as the link between it's kernel drivers and userspace.
Nobody added this to the mtab, they merely started the automounter process.

Incidentally, the /etc/mtab file should never be edited by hand.  The mount
command references and updates this file as you mount and unmount filesystems,
and it's there so the system can keep track of what filesystems are mounted,
what devices they are on, and options they were mounted with.

I would also recommend scrubbing your box after anything has compromised
the security of it.  If you are using a RedHat box, you can ask rpm to
verify the packages that are installed.  This will flag any files that have 
been modified from their originally installed version.  Some files in /etc
are normal (/etc/passwd for example) but if you see stuff in /bin or /usr/bin
flagged for any reason, it's probably a bad deal.  Also, if you have a 
really, really smart hacker, the RPM databse can be modified to make it think 
that the new checksums on the files are correct, and then the RPM verification
will not flag anything.

The only positive way to be sure your box is clean is to re-install it.

On Tue, Dec 14, 1999 at 12:40:04PM -0600, Todd wrote:
> 	Can anyone tell me what this entry in the mtab file would cause
> cx444541-b:(pid502) /net nfs
> intr,rw,port=1023,timeo=8,retrans=110,indirect,map=/etc/amd.net,dev=00000003
> 0 0
> 	When someone gained access to my box they added this line to the mtab file.
> Just seeing wondered what they were trying to mount.
> 
> 
> -------------------------------------------------------------------------
> Sent by OLUG Mailing list Manager, run by ezmlm.  http://olug.bstc.net/ 
> To unsubscribe: `echo unsubsribe | mail olug-unsubscribe at bstc.net` 

-- 
  Email is packaged by intellectual weight, not volume. Some
  settling of contents may have occurred during transmission.

-------------------------------------------------------------------------
Sent by OLUG Mailing list Manager, run by ezmlm.  http://olug.bstc.net/ 
To unsubscribe: `echo unsubsribe | mail olug-unsubscribe at bstc.net`

More information about the OLUG mailing list