On Sun, Jun 02, 2002 at 09:25:01AM +0800, Huter.Liu wrote: > hi,everyone! >I'm using rh7.2,but my machine is hackered recently,I open wu-ftpd >and www server only,I really don't know how the hacker cracked in,I >guess maybe is from wu-ftpd,the ftp server,now I found there is a tcp >link: Proto Recv-Q Send-Q Local Address Foreign Address >State > tcp 0 0 My IP:41430 205.252.46.98:6667 ESTABLISHED > What this mean? >the ps and netstat command is unusable,I download the psproc and >net-tools rpms and upgrade the two package,so I found the strange >41430 port,but when I use ps aux|less found the running process looks >like quite well,what should I do next step?
Standard procedure in such unfortunate situations: -Unplug/disconnect from Network. -Back up any personal data. Do _not_ back up any system files like configuration files. -Find installation disks, re-install while reformatting all partitions as you go. -Restore personal backups. -Disable all outside/public services. -Apply all errata updates from Red Hat or mirror. -Re-examine local policies, i.e. 'should I run services that have a really bad track record for exploits, and if so, how can I make this harder for the next time' -Re-connect to network, and run up2date at least once a day. The reason being someone else seems to have root access on your machine, and may have multiple backdoors that are well concealed, and you many never find them all. -- Hal Burgiss _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
