I think I might have a possible breakin.
Ben Boulanger
ben at blackavar.com
Sat Oct 5 21:24:39 EDT 2002
On Sat, 5 Oct 2002, Steven W. Orr wrote:
> running. But I'm not getting anything at all and it's been running for a
> couple of hours. I also ran chkrootkit and got nothing. I'm wide open to
> suggestions. Also, you can see the firewall hits from the previous day
> here: http://steveo2.syslang.net:8080/fwsummary.html
If you run tcpdump port 7, can you identify the traffic? Are you doing
any NAT with that box? If you're hacked, assume ls, lsof and many others
to be trojaned. I generally traverse /dev looking for directories that
look suspicious, as that's a common place for rootkits (and things like
it) to hang out.
Ben
--
Without rice, even the cleverest housewife cannot cook.
More information about the gnhlug-discuss
mailing list