I think the first thing is "netstat -a" which will tell you which ports are
open
If you see some you don't expect, trace it with tcpdump
if you don't see any, they may have installed a hacked version of some
common daemon
they may also have changed inetd.conf and redirected some normal app to a
root shell
if you find something interesting with netstat, try netstat -p
hth
A 01:32 16/02/2001 -0800, vous avez écrit :
>Someone hacked into one of my systems and I can see them running
>stuff. They seem to have a rootkit installed, because nothing shows up
>under who or w. Is there anything I can do to trace them while they are
>doing this stuff to catch them?
>
>
>
>_______________________________________________
>Redhat-list mailing list
>[EMAIL PROTECTED]
>https://listman.redhat.com/mailman/listinfo/redhat-list
>
>
- * - * - * - * - * - * -
Mes idees n'engagent que moi (vieux proverbe du Net)
Thierry ITTY
eMail: [EMAIL PROTECTED] FRANCE
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list