[lug] Signs of hacking (was ARRG! Change One Little Thing And... HACKED?
Kevin Fenzi
kevin at scrye.com
Tue Aug 16 11:28:26 MDT 2005
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>>>>> "Bill" == Bill Thoen <bthoen at gisnet.com> writes:
Bill> I've checked the logs for Jul 30 (when the process started) but
Bill> found nothing I can recognize. Is there a standard checklist of
Bill> things to look for when trying to find out if this is a hack or
Bill> just a broken pointer that could be fixed by just rebooting?
sendmail shouldn't listen on port 443.
You might want to unplug the machine from the network and then:
You could try:
rpm -Va >& rpm.out
that will run a full rpm verify and show you all the files that don't
match the ones in the database.
You can also run rootkit hunter:
http://www.rootkit.nl/projects/rootkit_hunter.html
download the .tar.gz file, do 'rpmbuild -tb tkhunter*.tar.gz' and
install the resulting rpm, then do 'rkhunter --update' and 'rkhunter -c'
Good luck.
Bill> - Bill Thoen
kevin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>
iD8DBQFDAiI+3imCezTjY0ERArRUAJ99CVEzl1kujX/eFnCLY7vlP3Ee+ACdEcfc
YPIr9L7z7Ml92J7dnXNHI4Y=
=3SKG
-----END PGP SIGNATURE-----
More information about the LUG
mailing list