On 25 Feb, Lenz Grimmer wrote:
>
> Hi,
>
> On Thu, 25 Feb 1999 [EMAIL PROTECTED] wrote:
>
>> I noticed activity from a program linsniff on my system.
>> I am suspicious about it.
>
> Well, you definetely should. Do you see the program in the process table?
> You should disconnect the network from that machine, if possible. Then go
> and look for that bastard.
>
>> I did a locate linsniff, but did not find anything with ls -al like linsniff
>> where it was reported to be.
>
> Look for hidden directories in /tmp or /var/tmp.
>
>> As a precaution I have changed all passwords.
>
> A good start. But you should go and look for the sniffer itself and how he
> was able to break in. Did you upgrade the wu-ftpd?
>
>> Please tell me that I'm not the victim a a hacker attempt. :-))
>
> Well, it _could_ be an intrusion. Better check your system thoroughly.
> Also look for trojans, maybe the intruder modified some binaries.
> "rpm -Va" will give you a list of modified files (assuming that the RPM
> database is still intact)
>
> Good luck!
>
> Bye,
> LenZ
>
> --
> ------------------------------------------------------------------
> Lenz Grimmer SuSE GmbH
> mailto:[EMAIL PROTECTED] Schanzaeckerstr. 10
> http://www.suse.de/~grimmer 90443 Nuernberg, Germany
>
> -
> To get out of this list, please send email to [EMAIL PROTECTED] with
> this text in its body: unsubscribe suse-linux-e
> Check out the SuSE-FAQ at http://www.suse.com/Support/Doku/FAQ/ and the
> archive at http://www.suse.com/Mailinglists/suse-linux-e/index.html
And if you don't find any hidden directories ("..." is one that hackers
love because most people overlook it) that doesn't mean that they are
not there anyway. If someone got root access on your machine and
installed a "root kit" he may have changed your UNIX commands to blind
them for his activities. Happened to me while running RH 5.0 and was
one of the reasons I was switching over to SuSE. Look up your
/etc/passwd or /etc/shadow file to see whether you see any unusual
entries, i.e., new accounts that you didn't create or modified
pre-existing accounts. Furthermore, as root do an 'rpm -Va' and check
for any suspicious changes in the size of your UNIX utilities (like ls
or find, etc). If they have been changed you are likely the victim of a
root attack, and no matter how often you change your root password he
will always be a step ahead of you. Then your only option is to backup
your user data (hopefully you have done that before :-) because he may
have laid an egg there as well), clean your hard drive and make a
complete install from scratch.
Best regards, Alex.
--
Dr. Alexander Angerhofer
Associate Professor of Chemistry
Department of Chemistry
The University of Florida
Box 117200
Gainesville, FL 32611-7200
USA
Tel.: (+1) 352 846 3281
alt.: (+1) 352 392 9489
lab : (+1) 352 846 3283
FAX : (+1) 352 392 0872
-
To get out of this list, please send email to [EMAIL PROTECTED] with
this text in its body: unsubscribe suse-linux-e
Check out the SuSE-FAQ at http://www.suse.com/Support/Doku/FAQ/ and the
archive at http://www.suse.com/Mailinglists/suse-linux-e/index.html
