hmm sorry but i didn't watched this tread but i just want to add some stuff

first make a backup of your disk ( if you might want to research it later on )
or you might want to toy with a copy of the backup leaving the system in state it was. backups can be used as evidence. Or you can monitor the machine while the kid/hacker thinks he's still safe.

reinstall
login procps sshd passwd lsof bash shellutils sysvinit crontab findutils net-tools
with apt-get --reintall install <package>
now the default rootkit should be visable ( the hide and seek part is over ;) )

hmmm kernel ?

now you can start your (re)search

I don't think you'll find a lot in your logfiles because the are "cleaned" anyway....

grtnx,
        Robbert Helling.

At 17:26 7-5-2003, you wrote:

        Check the shell history file of team1 user...
        if exists


On (07/05/03 14:51), Ian Goodall wrote:
> I am running a debian woody server and when I checked the last users
> yesterday I a large number of logins in the list. On running the command
> today I get the following:
>
> dev1:/home/ian# last
> ian      pts/0        172.16.3.195     Wed May  7 14:49   still logged in
> team1    pts/0        blue99.ex.ac.uk  Wed May  7 13:21 - 13:57  (00:35)
>
> I have run chkrootkit but nothing was found.
>
> I have never had this before. Am I being paranoid or is someone trying to
> cover up their tracks?
>
> Thanks
>
> ijg0
>
>
>
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
>
>

--
Bueno, Felippe
<[EMAIL PROTECTED]>


--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to