Michael Yuan wrote:
> OK, I found it at /dev/gdm/.n2o/ I do not know if this directory itself
> is legal? The "eggdrop" exec is dated April 1st, which is surprising since
> I installed my system on March 23rd!!! I have only used ssh to that
> machine and disabled "finger, talk, telnet, ftp ..." I could not
> understand most of the config files in the eggdrop directory. Could anyone
> help me reading them if I post them on the web? :)
>
> I renamed this eggdrop exec file and killed the running process. It has
> not come back so far. I did not see anything in the crontab directories
> though. There is nothing in /var/log/secure too. However there are a lot
> of stuff in /var/log/messages.2 and /var/log/messages.3. I noticed that
> "named" is very active in message1. I planned to run DNS on that computer
> and had named running but did not really get time to config it. So, it is
> unlikely that it will get too many DNS requests. But most of those named
> activities seem to be hourly clear-up work. Is that normal? message.2
> recorded several "su"'s for user "news". That is strange too ...
>
> Oh wait ... the log says that he restarted inetd on April 1st too. He has
> restarted the services I disabled, especially "shell" and "rlogin". I
> think he must have gained root access to modify "inetd.conf"?
>
> I know I should reinstall the system AGAIN! But since it is the second
> time I got compromised, I will backup all my data from that computer and
> try to see how the hacker works so that I can prevent future attack. I
> will keep you guys posted about my discovery ...
>
> Thanks
> Michael
>
> ---------------------------------------------------------------------------
> Send administrative requests to [EMAIL PROTECTED]
Michael-
Go get yourself Portsentry!!!!! at psionic.com -
This should never happen again if you use it correctly.
Clifford
---------------------------------------------------------------------------
Send administrative requests to [EMAIL PROTECTED]
