I think I might have a possible breakin.

[Ben Boulanger]

On Sat, 5 Oct 2002, Steven W. Orr wrote:
> running. But I'm not getting anything at all and it's been running for a 
> couple of hours. I also ran chkrootkit and got nothing. I'm wide open to 
> suggestions. Also, you can see the firewall hits from the previous day 
> here: http://steveo2.syslang.net:8080/fwsummary.html

If you run tcpdump port 7, can you identify the traffic?  Are you doing 
any NAT with that box?  If you're hacked, assume ls, lsof and many others 
to be trojaned.  I generally traverse /dev looking for directories that 
look suspicious, as that's a common place for rootkits (and things like 
it) to hang out.

Ben


-- 

Without rice, even the cleverest housewife cannot cook.