[lug] Signs of hacking (was ARRG! Change One Little Thing And... HACKED?
Bear Giles
bgiles at coyotesong.com
Tue Aug 16 11:23:30 MDT 2005
# find /tmp -type f -perm +111 -ls
and the same for /dev are your friends. You might need to do the
execute bits individually, I'm not sure. You can also check for
SUID/SGID files, block devices anywhere other than /dev, etc.
# netstat -l
and look at the tcp and udp bindings. You can probably ignore the
unix socket bindings.
What to do now?
1) disable net access.
2) run chkrootkit and rkhunter.
3) reinstall from scratch. :-)
Seriously, you need to figure out how they got in, close that
door, and replace/remove any suspect files. No guarantees but it
gives you a fighting chance.
Bear
More information about the LUG
mailing list