I would ask for the nature of the evidence of the port scan. Also, what is the nature of the content of the web server @ site1.com? I have seen various port scan detectors flag a port scan due to certain traffic from web sites. May be a red herring, then again it might be real. BTW, if you had been hacked, changing the root password could likely be a NOOP - a good intruder would have a root kit installed and would not need the root password, and would be scanning for passwords anyway. And you would not see evidence in logs either; the hacker would have trimmed the evidence out.
Perhaps it is time to read up on detecting intrusions, and cleaning up afterward. Detecting is tough if the person is good, but there is often some evidence left behind. A place to start is scanning for all files modified or created in the past week or so, and make sure you know why each file was modified/created. Look at various config files for changes. Look for regular files in /dev. Use a known good version of a checksum generator (on a floppy or CD-ROM, not on the machine itself) and do checksum comparisons against binaries on the machine vs. what should be installed. Port scan the machine from an outside machine and look for ports that are open that should not be. Use a known good version of ps and lsof (again from a floppy or CD, statically linked so not depending on libs on the suspect machine) and look for unknown processes and/or progams opening files that you do not understand. Lots more, lots of work, but the only way to detect if someone good has gotten into the box. - rick warner On Tue, 2003-07-01 at 07:45, Bill Tangren wrote: > I have a perplexing problem. I received an email this morning from some > one who states that he was surfing my web site site1.com, when he > received a portscan attack from site2.com. However, site2.com is a > VirtualHost that is aliased to site1.com. This person told us because he > said we might have been hacked. I immediately changed the root password. > > Could someone tell me how this could have happened? If you do a lookup > on site2.com, and then do a reverse lookup on that IP number, you see > site1.com, not site2.com. > > If I have been hacked, what should I look at? I don't see any obvious > evidence in the logs, but I'm not sure I would. > > TIA, > > Bill Tangren -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
