Hi, It looks as though I have a failed attempt with RSHA root kit.... Very weird and I'm a little rusty on my Linux at the moment. If I do a
ls -la /var/log I get my normal log files listed If I do a cd /var/log ls -la I get: ls -la ls: tmp: No such file or directory ls: .sniffer: No such file or directory ls: .pwdhack: No such file or directory ls: ag: No such file or directory ls: .swdeb: No such file or directory ls: uneg.pl: No such file or directory ls: 87.74.31.146: No such file or directory ls: check.pl: No such file or directory ls: 87.74.31.146.bad: No such file or directory ls: 87.74.31.146.good: No such file or directory ls: nmap-4.03.tgz: No such file or directory total 8 drwxr-xr-x 9 root root 4096 Jun 29 15:14 . drwxr-xr-x 21 root root 4096 May 9 2004 .. I have run rkhunter and it finds nothing amiss. And I can't see any other evidence that they gained access to my system, or I suspect they would have fixed the above so they could do whatever it is they wanted to do without me knowing about it. I need to update my openssl, my apache and my openssh and my gnupg... apparently, but other than that, I run a very restrictive firewall on this machine... so... erm, does anyone know how the above can happen? why is it when I cd to a directory, that it displays different contents than when I do a ls /absolute/path ??? or.. worst case, could it be compromised and I should reload? saying that I've had a look with an external sniffer and I can't see any unusual traffic and no unusual connections either. Thanks for your help. Bill Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Rkhunter-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/rkhunter-users
