I would also download chkrootkit from www.chkrootkit.org to make sure that there is no rootkits (backdoors/trojan horses) installed on the server. david
On Tue, 2003-07-01 at 18:35, Bill Tangren wrote: > MKlinke wrote: > > On Tuesday 01 July 2003 15:45, Bill Tangren wrote: > > > >>I have a perplexing problem. I received an email this morning from > >>some one who states that he was surfing my web site site1.com, when > >>he received a portscan attack from site2.com. However, site2.com is a > >>VirtualHost that is aliased to site1.com. This person told us because > >>he said we might have been hacked. I immediately changed the root > >>password. > >> > >>Could someone tell me how this could have happened? If you do a > >>lookup on site2.com, and then do a reverse lookup on that IP number, > >>you see site1.com, not site2.com. > >> > >>If I have been hacked, what should I look at? I don't see any obvious > >>evidence in the logs, but I'm not sure I would. > >> > >>TIA, > >> > >>Bill Tangren > > > > > > Did this person send along any logs showing the scan packets or offer > > any kind of detail as to what he meant by "portscan?" > > > > Regards, Mike Klinke > > > > > > I requested logs from his firewall, but have not heard back. This is > wierd as the machine in question is a server only, and I don't have > telnet (server or client) on it. The few who have accounts have to use > ssh (protocol 2 only) to get access. Also, all packages are up to date, > and I am behind a firewall (which I don't maintain). Wierd. > > Bill -- David Richards <[EMAIL PROTECTED]> www.skyforge.net www.drp.se Dedicated servers from £30 a month http://dedipower.com/r.php?id=7C47 -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list