hmm sorry but i didn't watched this tread but i just want to add some stuff
first make a backup of your disk ( if you might want to research it later on )
or you might want to toy with a copy of the backup leaving the system in
state it was.
backups can be used as evidence. Or you can monitor the machine while the
kid/hacker thinks he's still safe.
reinstall
login procps sshd passwd lsof bash shellutils sysvinit crontab findutils
net-tools
with apt-get --reintall install <package>
now the default rootkit should be visable ( the hide and seek part is over ;) )
hmmm kernel ?
now you can start your (re)search
I don't think you'll find a lot in your logfiles because the are "cleaned"
anyway....
grtnx,
Robbert Helling.
At 17:26 7-5-2003, you wrote:
Check the shell history file of team1 user...
if exists
On (07/05/03 14:51), Ian Goodall wrote:
> I am running a debian woody server and when I checked the last users
> yesterday I a large number of logins in the list. On running the command
> today I get the following:
>
> dev1:/home/ian# last
> ian pts/0 172.16.3.195 Wed May 7 14:49 still logged in
> team1 pts/0 blue99.ex.ac.uk Wed May 7 13:21 - 13:57 (00:35)
>
> I have run chkrootkit but nothing was found.
>
> I have never had this before. Am I being paranoid or is someone trying to
> cover up their tracks?
>
> Thanks
>
> ijg0
>
>
>
> --
> To UNSUBSCRIBE, email to [EMAIL PROTECTED]
> with a subject of "unsubscribe". Trouble? Contact
[EMAIL PROTECTED]
>
>
--
Bueno, Felippe
<[EMAIL PROTECTED]>
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
