[ale] Cannot chown unowned files
Randy C. Ramsdell
rramsdell at adelphia.net
Wed Aug 24 13:04:40 EDT 2005
On Wed, 2005-08-24 at 12:49 -0400, C. Lee Davis wrote:
> Randy C. Ramsdell wrote:
> > It would probably be a really good idea to some sort of analysis of the
> > system t find out how the compromise occurred. This way you won't eneble
> > the same server that obviously has an issue.
> >
> Absolutely. I'm FTPing the logs off now. Thanks for the advice. If I
> can't figure it out, you guys will definitely hear.
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale
Just some info: A good hack or rootkit will clean the clean logs.
1. Don't reboot
2. check .bash_history if you are using bash.
3. run lsof <--- this is missed a lot by rootkits
4. copy known good ps, ls, netstat, etc ... commands and use those.
5. check for "..." directories etc..
6. etc... More if you really want to dig deep into this
More information about the Ale
mailing list