On Tue, 2003-08-19 at 23:10, Greg Bonnette wrote: > Upon further inspection I found that my system had been hacked. I found > multiple directories > > /tmp/'usernameonmysystem'-orbit (multiple occurances, one for each > username) > /tmp/ssh1kzaah > /tmp/ssh2...
Um, I'm not denying that your system could have been hacked, but these directories are not the signature of any rootkit I know of. In fact, they are quite normal. The /tmp/username-orbit directories always appear (and are left behind) when username is running the Gnome desktop. Not sure of their exact nature, but they likely have to do with the ORBit or ORBit2 libraries, which I believe are required by Gnome. The /tmp/ssh* directories are the directories where the socket for each user's instance of sshd that is running that has agent forwarding turned on or each instance of ssh-agent that is running on the local system. > I think I know what orbit is, and I never installed it, but running a > netstat showed multiple connections to files in these directories. Can > anyone ID this root kit so I can begin pinpointing my security hole? > Google has turned up something called MAC_Daddy, but documentation is > limited. Anyone had experience with this? My search for MAC_Daddy on google doesn't turn up anything resembling a rootkit. So, in sum, you definitely could have been cracked, but I think you are barking up the wrong tree. Well, maybe, that is. You may be identifying that a user's password or ssh key has been comprimised, but the evidence doesn't support a rootkit. At least not yet. ;-) Grab chkrootkit from http://www.chkrootkit.org/, build it, and run it as an initial check. One thing that might help us help you determine what's wrong is by posting the virtual host sections of your /etc/httpd/conf/http.conf, as the message does look related to something in that area. Also, do an 'ls -l' on the file to see when it was last modified. Maybe the 'username' user who is/was logged in is the one who changed it. -- -Paul Iadonisi Senior System Administrator Red Hat Certified Engineer / Local Linux Lobbyist Ever see a penguin fly? -- Try Linux. GPL all the way: Sell services, don't lease secrets _______________________________________________ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
