[lug] pscan2
Sean Reifschneider
jafo at tummy.com
Mon Feb 21 20:28:22 MST 2005
On Mon, Feb 21, 2005 at 07:31:27PM -0500, Gordon Golding wrote:
>Somebody here just told me they had trouble with a Server somebody stuck
>on our network. Now there are processes called "-" and "unprintable
>characters" on a production Server.
As was mentioned, it is likely your box has been compromised. Try running
"chkrootkit" on it and see what the results are. There's also
"rootkithunter", which Kevin likes. I haven't used it yet.
In general, we recommend that a compromised box plan to be reloaded,
because it can be very difficult to get rid of the vermin once they're in.
However, we have had good luck tightening boxes down on the rare occasions
that we've had client machines get compromised. Also, make sure that on
the re-install you don't set copy over any compromised files, particularly
true for web applications, etc.
The timing would make me suspect that you might have been compromised by
awstats, so if you have it running there you'd better look at it pretty
carefully and lock it down. There is a awstats vulnerability running
around.
Shameless plug: If you need help, I will mention that my company, tummy.com,
ltd., has extensive experience doing just this sort of thing, as well as
migrating to new systems and tightening down systems.
Sean
--
It often shows a fine command of a language to say nothing.
Sean Reifschneider, Member of Technical Staff <jafo at tummy.com>
tummy.com, ltd. - Linux Consulting since 1995. Qmail, Python, SysAdmin
Back off man. I'm a scientist. http://HackingSociety.org/
More information about the LUG
mailing list