[ale] Is it hacked?

Ken Nagorski kenn at pcintelligent.com
Mon Feb 12 00:06:26 EST 2001


Hi there,

	Thank for the info, that turned up nothing, just a file in
/usr/share/man/man1/..1.gz, which is just a one line file that tells man
somehting. Doesn't appear to be harmful. As far as anything weird from the
-mtime find, well there doesn't look there is anything strange but that's
a little harder to tell being that there where various reboots over the
last two days. 

	Hmm, anywhere else I can search. The log files don't have
anything funky in them (as far as I can tell) as well they would not
unless I was infiltrated by the "Hacker Society for morons who like to get
caught" Which is not the case of course... 

	Wow, this is a pain in the rear,

Thanks
Ken


 On Sun, 11 Feb 2001, Stephen F Nicholas wrote:

> Ken,
> The first thing I would is to issue the following commands separatele and
> check out the results.  I usually > to a file in /tmp:
> 
> find / -name \.\.\?\* -print
> find / -name \.\ \* -print 
> 
> These are checking for rootkits.
> 
> Then i would do a :
> 
> find . -mtime -2 -print > /tmp/found
> 
> This will give you a list of ALL of the files that have changed over the
> past 48 hours and pipe it to a file named /tmp/found.
> 
> Sounds like you indeed have been hacked.  Don't rush into anything, just
> go into the info gathering mode at this point.
> 
> Let me know,
> Steve
> =======================================================
> | Steve Nicholas             |                        |
> | Unix System Programmer     |  A risk is not a risk  |
> | Georgia State University   |  until it is taken.    | 
> | snicholas at gsu.edu          |                        |
> | 404-651-1062               |  BBROYGBVGW            |
> =======================================================
> 
> On Sun, 11 Feb 2001, Ken Nagorski wrote:
> 
> > Hi there,
> > 
> > 	I have a question about security. OK... Check this out. A guy I
> > know runs a web server. Him and this other kid have root. I just help him
> > out in a jam and do some of the more sophisticated stuff for him, (not
> > that I wanna sound like I am tooting my own horn, just so you know where I
> > am coming from) Anyway, it seems that friday the root passwd + account
> > went away. Hmm, sounds like it has been hacked right? Well I am not so
> > sure. We where able to re-create the account with webmin. I am not sure
> > how webmin was able to log in, regardless... Webmin saved the day, or so
> > to speak I guess.
> > 	So I got in and looked around, can't find any signs of a hack,
> > doesn't look like ps or ls, or anything has been replaced, doesn't
> > look like there is anything funny coming from netstat, no strange
> > ports. There isn't anything in top that looks odd. I think that somehow
> > either one of the other two guys screwed up.
> > 	But, maybe I think I am not looking in the right places, I found
> > one odd thing in the /root/.bash_history This line right here.
> > vi NEED PASSWORD ?.html
> > What is that? It's strange but If I hacked you box and had to do somehting
> > funky as that. I would delete it from the .bash_history no?
> > 	OK, the point of all this is, what else could I look for. Maybe
> > there are some people that have a little more experience with hackers and
> > security? 
> > 
> > Thanks
> > Ken
> > 
> > -- 
> > I've got all the money I'll ever need if I die by 4 o'clock.
> >                 -- Henny Youngman
> > 
> > 
> > --
> > To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.
> > 
> 

-- 
I've got all the money I'll ever need if I die by 4 o'clock.
                -- Henny Youngman


--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.





More information about the Ale mailing list