[NTLUG:Discuss] Have I been Hacked?
Chris Cox
cjcox at acm.org
Mon Apr 1 22:05:51 CST 2002
Tom Woody wrote:
>
> Just to be safe, I would make a floppy disk with "clean" versions of ifconfig, netstat, ls, ps, du, then check the file sizes, make sure you don't have any crazy stuff bound to your network card, etc. Also the clean ps will show any processes that shouldn't be running. Then that is the only way to find out if you have been compromised. The clean du will be useful in finding if there are any hidden directories (esp, in /dev - ie /dev/tttyXX, or your generic ... directories).
>
> If the machine was compromised by someone it was either done by a very poor rootkit, or a scriptkiddie who doesn't know up from down. The machines that I found rooted (ps wouldn't show anything out of the ordinary - cause it was trojaned). Another thing to do if you have another machine is to scan it with Nmap, the more popular ports for a rootkit show up as such with nmap.
>
....
> > 13485 ? S 0:00 /USR/SBIN/CRON
> > 21211 ? R 0:00 find / -xdev ( -false ) -prune -o ( -type f
> > -perm +06000 -o ( ( -type b -o -type c ) -a -not ( -false ) ) ) -printf
> > %8i %5m %3n %-10u %-10g %9s %t %h/%f?n
Beware of the Paul Vixie CRON virus!
Please stop worrying this fellow. I'm not saying he hasn't been hacked, but
I haven't seen any evidence yet.... of course maybe I just fell for a
very good April fools joke....
Regards,
Chris
More information about the Discuss
mailing list