I got hit with a very obvious script attack a last week that was fairly
easy to track (although I still reinstalled just to make sure). As
script kiddies aren't known for creative attacks it might be the
same. Check your /usr/login and make sure its around 20132 in size and
it's change date isn't wierd. If it is, note the change date and search
you logs for an odd login at that time. You should still reinstall but at
least you can throw the ip in your hosts.deny and shoot off an e-mail to
their ISP. There might also be a /tmp/.t directory created with some
crap in it.
-Ben Newman
Zorak does not like R.E.M. with the bald weirdo flailing about and is
irked when no one offers alternatives in modern times.
-- Zorak, evil space mantis
On Wed, 1 Mar 2000, Bernhard Rosenkraenzer wrote:
> On Wed, 1 Mar 2000, M. Erickson wrote:
>
> > No need to reformat, toss that windows paradigm aside, learn a new way of
> > dealing with things like this! Just update BIND, XFS, and check through
> > all your .history/.bash_history files and find out what else has been
> > done..
>
> Finding out what else has been done is not exactly a trivial task. If
> whoever did this isn't totally braindead, he edited .history and logfiles
> to hide traces. (But then it seems to be someone stupid because he didn't
> remove the ADMROCKS file).
>
> rpm --verify can help you find modified files, and a find / -perm 4755
> will find added setuid bits, but that's still not everything someone could
> have done.
>
> Unless you absolutely know how to deal with this, backing up your data and
> reinstalling is probably the best thing to do.
>
> LLaP
> bero
>
>
>
> --
> To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
> as the Subject.
>
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
