I would ask for the nature of the evidence of the port scan. Also,
what is the nature of the content of the web server @ site1.com?
I have no evidence ... yet. Just someone's word that a port scan originated from my server. The web server is simple. Two virtual hosts, and we offer up text, and a few simple cgi scripts that call FORTRAN programs that server up text files.
I have seen various port scan detectors flag a port scan due to certain traffic from web sites. May be a red herring, then again itThanks for the advice.
might be real. BTW, if you had been hacked, changing the root password
could likely be a NOOP - a good intruder would have a root kit installed
and would not need the root password, and would be scanning for
passwords anyway. And you would not see evidence in logs either; the hacker would have trimmed the evidence out.
Perhaps it is time to read up on detecting intrusions, and cleaning up afterward. Detecting is tough if the person is good, but there is
often some evidence left behind. A place to start is scanning for all
files modified or created in the past week or so, and make sure you know
why each file was modified/created. Look at various config files for
changes. Look for regular files in /dev. Use a known good version of
a checksum generator (on a floppy or CD-ROM, not on the machine itself)
and do checksum comparisons against binaries on the machine vs. what
should be installed. Port scan the machine from an outside machine and look for ports that are open that should not be. Use a known good
version of ps and lsof (again from a floppy or CD, statically linked so
not depending on libs on the suspect machine) and look for unknown
processes and/or progams opening files that you do not understand. Lots
more, lots of work, but the only way to detect if someone good has
gotten into the box.
- rick warner
Bill
-- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
