thanks a lot, Michael.
I will check on the sites now....
> -----Original Message-----
> From: Michael Liberte [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, March 27, 2001 3:36 AM
> To: '"Pe?a, Botp"'; [EMAIL PROTECTED]
> Subject: RE: [FW1] quite ot -but i need help about security
>
>
> From which IP was this mysterious root connected?
> To which site was he FTPing?
> Were the logs deleted recently?
> Were sensitive programs, such as su, modified recently?
>
> You can find much more information at:
> http://www.enteract.com/~lspitz/
> http://project.honeynet.org/papers/enemy/
> HTH
> Michael.
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Monday, March 26, 2001 3:16 PM
> To: [EMAIL PROTECTED]
> Subject: [FW1] quite ot -but i need help about security
>
>
>
> Hi ALL:
>
> this is quite ot but I know that a lot of you here knows a lot about
> security.
>
> just a while ago, the named program on one of our servers
> wasn't fxning
> (all lookups failed in logs). when i did a ps -ef, i notice
> that root was
> ftping to a certain site. I called my partner, and he said
> that he didn't
> login. I also did a who, and indeed only my id showed.
>
> i looked at all the logs and didn't see any trace of root....
> my only proof
> was the ps -ef output :-(
>
> q: can anyone send me tips on how to track that mysterious "root" ?
>
> Sorry again for this ot question.
>
> Thanks,
> -botp
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
