At 05:47 PM 12/5/2000 -0600, you wrote:
>Good ideas, but remember that files on a hacked system are always suspect; for
>example, several exploits will run extra copies of inetd, with their own copy of
>inetd.conf stashed someplace strange like under /tmp, /var, or /dev.
>
>/etc/passwd is _DEFINITELY_ a good call.
>
>netstat is a likely target for rewriting with a root kit. Be wary of the output
>from any binary on a compromised machine.
>
>And in any case, I'd want to be sure that I've been hacked before panicking;
>there are lots of reasons why network services stop working. Log files are your
>friends. ;)
Log files are also the first thing crackers clean up when they break in. Especially if
they're interested in staying around a while - they make sure they leave no trace of
themselves in the log files.
Go ahead and look at the log files, but if your logfiles are "ok", that really doesn't
mean that your system is.
JW
>-m
>
>
>
>Statux wrote:
>>
>> /etc/inetd.conf for one, to see if there are any strange entries
>>
>> /etc/passwd for funky stuff
>>
>> also doing 'netstat -a' to see which ports are listening that maybe
>> shouldn't be.. but usually checking inetd.conf will fix most of this.
>>
>> That's my 2 cents
>>
>> On Tue, 5 Dec 2000, Scott Skrogstad wrote:
>>
>> > I might have been hacked but I am not sure. I have two servers that I
>> > have been able to ftp into now all of a sudden I connect give it my user
>> > name and password and it says invalid password and drops me. I can turn
>> > around and telnet in just fine. I thought it was a problem only on one
>> > server and now I find it has just happen to a server that I have always
>> > been able to ftp into.
>> >
>> > What the heck to I check?
>> >
>> > Scott Skrogstad
>> > Computer Integration Inc,
>> > [EMAIL PROTECTED]
>> > 800-522-3475 Phone
>> >
>> >
>> >
>> > _______________________________________________
>> > Redhat-list mailing list
>> > [EMAIL PROTECTED]
>> > https://listman.redhat.com/mailman/listinfo/redhat-list
>> >
>>
>> --
>> -Statux
>>
>> _______________________________________________
>> Redhat-list mailing list
>> [EMAIL PROTECTED]
>> https://listman.redhat.com/mailman/listinfo/redhat-list
>
>--
>Michael Jinks, IB // Technical Entity // Saecos Corporation
>"No one speaks English and everything's broken." -- T. Waits
>"Tom Waits would have made a decent sysadmin." -- M. Jinks
>
>
>
>_______________________________________________
>Redhat-list mailing list
>[EMAIL PROTECTED]
>https://listman.redhat.com/mailman/listinfo/redhat-list
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
