Entries in `/etc/inittab` below last line - possible hack? [duplicate]

linux hacking rootkit

That's there to reinfect the system on boot... Another part of rootkit extraction is that you're not safe until you've determined what backdoors or triggers exist to reinfect your system.

The rpm verify command I gave in your previous question also checks configuration files to show you what's changed from the package defaults.

rpm -vVa | grep 'S\.5\.\.\.\.\T' will output changed binaries and configuration files (denoted by a "c")

For example:

S.5....T  c /etc/httpd/conf/httpd.conf
S.5....T  c /etc/snmp/snmpd.conf

The "c" means that the config file changed. rpm -qf /path/to/file will show you the package that contains the file. You can either wipe or move the file and reinstall the rpm package to overwrite it.


The lines with mingetty should stay there. In simple words, there are the number of console that you can access with ctrl+alt+f{1-6}. Usually the 7th is your graphical environment.

About ttyload, since it's not in your system you don't need that line.

Related

How can I see the response of the DNS requests that tcpdump is showing me?
Test virtual host configuration [closed]
RANCID, but for arbitrary server configuration files
Simple IP load balancer for web service that runs on Windows XP or Windows 7 Professional?
File base permissions are 666, why and is this a configurable value? [closed]
Forward localhost memcached server on port 12111 to domain.com memcached server
Is a web server required to run a mail server?
ubuntu distribution upgrade got corrupted [closed]
Traceroute: different results [closed]
Iptables rules sometimes are reset automatically
Associate elastic ip automatically to a amazon ec2 instance when the instance start
How can I setup a network connection with Puppet?