[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: Somebody's knocking...

From: Brian Ashe <brian dee-web com>
To: "Burke, Thomas G." <redhat-list redhat com>
Subject: Re: Somebody's knocking...
Date: Mon, 31 Jul 2000 10:52:13 -0400

Hi Thomas,

The first way to tell if you were compromised is if you can still log in.
Most root kits replace /bin/login. If for some reason your hacker did not,
you can also do a ls -alc /bin to see if any thing floats to the top. If
a root kit was installed the dates wont match and you will at least see ps
move to the top.

If all of your updates are done, they most likely didn't get in.

Have fun,
-- 
_________________________________________________________________
 Brian Ashe                     CTO
 brian dee-web com              Dee-Web Software Services, LLC.
 http://www.dee-web.com/
-----------------------------------------------------------------
Those who desire to give up Freedom in order to gain Security,
will not have, nor do they deserve, either one.

Monday, July 31, 2000, 9:13:49 AM, you wrote:

BTG> Looks like someone was knocking...  Is there any way to tell if they got in?

BTG> ################## LogWatch 1.6.6 Begin ##################### 


BTG>  --------------------- Cron Begin ------------------------ 
BTG> Commands Run:
BTG>    User root:
BTG>          /sbin/rmmod -as: 144 Time(s)
BTG>       run-parts /etc/cron.daily: 1 Time(s)
BTG>       run-parts /etc/cron.hourly: 24 Time(s)


BTG>  ---------------------- Cron End ------------------------- 



BTG>  --------------------- ftpd-messages Begin ------------------------ 

BTG> Anonymous FTP Logins:
BTG>    24.64.182.188.on.wave.home.com (24.64.182.188):
BTG> ????????????????????????????????????????????????????????????????????????????
BTG> ????????????????????????????????????????????????????????????????????????????
BTG> ????????????????????????????????????????????????????????????????????????????
BTG> ????????????????????????????????????????????????????????????????????????????
BTG> ???????????????????????????????????????????1À1Û1É°FÍEUR1À1ÛC?ÙA°?ÍEURëk^1À1É
BTG> ?^^A^F^Df¹ÿ^A°'ÍEUR1À?^^A°=ÍEUR1À1Û?^^H?C^B1ÉþÉ1À?^^H°^LÍEURþÉuó1À^F^I?^^H°=
BTG> ÍEURþ^N°0þÈ^F^D1À^F^G?v^H?F^L?ó?N^H?V^L°^KÍEUR1À1Û°^AÍEURè?ÿÿÿ0bin0sh1..11
BTG> - 1 Time(s)

BTG> ÿôèº{.nÇ+?·ÿ?¨¥çajßå?Ëÿê®zËÿçajßÜ¢l"¶î?Ë?±ÊâmïÚ²Ø^JæãyËÿ

Follow-Ups:
- Re: Somebody's knocking...
  - From: Juan Martinez

References:
- Somebody's knocking...
  - From: Burke, Thomas G.

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]