[NTLUG:Discuss] Have I been Hacked?
Jason Ferguson
jferg3 at swbell.net
Mon Apr 1 06:53:05 CST 2002
So, Im sitting at my system before heading to work this morning and for
some reason, the hard drive is running (and all Im doing is looking at a
website). So, either konqueror has a nasty memory leak (wouldnt suprise
me) or something weird is going on.
A top showed that "find" was running, which seemed odd. A "ps ax" showed
several things that may or may not have been legit, but two things
jumped out at me:
13485 ? S 0:00 /USR/SBIN/CRON
21211 ? R 0:00 find / -xdev ( -false ) -prune -o ( -type f
-perm +06000 -o ( ( -type b -o -type c ) -a -not ( -false ) ) ) -printf
%8i %5m %3n %-10u %-10g %9s %t %h/%f?n
The first one: why the capital letters? Never seen them before.
The second: wtf is this command trying to do?
I suspect I opened a hole last week by opening the Xwindows ports so I
could do a xhost +localhost to let root run applications. But, I a quick
check of some of the programs that a rootkit would replace: ie ps and
netstat, and they arent small (ps is about 58k and netstat is nearly
87k).
Thanks,
Jason
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: This is a digitally signed message part
Url : http://ntlug.org/pipermail/discuss/attachments/20020401/10f4ab12/attachment.bin
More information about the Discuss
mailing list