On Wed, 29 Jan 2003, Ernest Ellingson wrote: > Date: Wed, 29 Jan 2003 09:14:26 -0500 > From: Ernest Ellingson <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > Subject: RE: Updating RH Linux 6.2 > [...] > It might be that your system has been compromised and the hacker > tries to protect /bin from being modified. Take a good look at all > your security relevant installed packages with > > rpm -qa --last | less > rpm -qa | xargs -n 1 -t rpm -V &> rpm-Va.txt > less rpm-Va.txt > - ---------------------------------------------- > I've done this as well. All of the dates on the packages look OK. > They all were installed in July of 2000 except for those I installed > yesterday. > > I've attached rpm-Va.txt. All of the pacages have a V so they look > OK. I don't understand the nomenclature on the directories. I'm not > sure about the missing files. The only services that run on the > machine are (telnet, ftp, sendmail not open outside the lan) and > named (open to the internet.) Although for a month or so last fall, > when we moved the site the firewall rules had these machines pretty > much naked to the world. > Look at the results;
Files like ls, netstat, ifconfig and a number of others are modified (the '5' tells that MD5 sum does not match); I think your machine is already hacked, and you should reinstall from scratch (of course save your files first). BTW: Even if rpm -V had not told you that there is a problem (it did), you could not be sure that the system was not compromised (for that you should start from rescue CD and verify against oroginal RPM files rather than against rpm database which could also be modified by the intruder). Wojtek -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
