If he wasn't very smart check your /var/log/messages file. Also check
/var/log/secure. See if you can find where he came in. Perhaps
examining the other processes running (shell scripts) you "may" find
some more clues.
If he was a "smart" hacker then the logs have been cleaned and anything
he is running probably won't give much info. tcpdump is probably your
best bet for catching him though I wouldn't want the machine running any
longer than necessary on a network I own. Even if you did catch where
it came from most likely those systems are also comprimised computers
and he's remote controlling them.
Personally I would cut my losses, reinstall and get all the patches in
place. It's a sick world we live in :-(
Frank
Ed Lazor wrote:
> Originally, I started having problems on all of my machines and I
> figured out it was because of poor performance on my dns server.
> Named wasn't responding to lookups, so I tried restarting it, but that
> didn't work. It kept telling me the port was already in use. I tried
> restarting inet and other network services, but finally defaulted to
> just rebooting the machine. After reboot, it took forever for me to
> get back in. When I did, I discovered the system load was over 9. I
> checked the process list and discovered all kinds of extra things
> running. Several compiles and several scans for bind exploits were in
> progress. It looks like my machine was taken over to attack other
> machines. I did more exploring and discovered other utilities
> installed and many of the standard system utilities had been replaced.
>
> I am definitely going to rebuild this machine and a couple of others
> to make sure everything is ok. In the process, I'm hoping there's a
> way I can trace where the hacker is coming from and attempt catching
> them. Is tcpdump the only tool I can use for this?
>
> -Ed
>
>
> At 09:35 AM 2/16/2001 -0700, Frank Carreiro wrote:
>
>> do the following...
>>
>> ps aux
>>
>>
>> see what processes they are running. If you see some shell scripts
>> running (called hackeda, hackb) stuff like that then it's VERY likely
>> you were hit by the ramen worm. I would recommend you pull the plug
>> and consider if there is ANY data you really need on the system. If
>> not wipe it clean and reinstall.
>
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
