[NTLUG:Discuss] Have I been Hacked?
david ross
david at rawcreations.net
Tue Apr 2 07:11:19 CST 2002
I use a program called "chkrootkit" i keep it on a floppy and run it
weekly.My cron also runs the HD pretty hard,but i have no clue why.
On Monday 01 April 2002 07:53 am, you wrote:
> So, Im sitting at my system before heading to work this morning and for
> some reason, the hard drive is running (and all Im doing is looking at a
> website). So, either konqueror has a nasty memory leak (wouldnt suprise
> me) or something weird is going on.
>
> A top showed that "find" was running, which seemed odd. A "ps ax" showed
> several things that may or may not have been legit, but two things
> jumped out at me:
>
>
> 13485 ? S 0:00 /USR/SBIN/CRON
> 21211 ? R 0:00 find / -xdev ( -false ) -prune -o ( -type f
> -perm +06000 -o ( ( -type b -o -type c ) -a -not ( -false ) ) ) -printf
> %8i %5m %3n %-10u %-10g %9s %t %h/%f?n
>
> The first one: why the capital letters? Never seen them before.
> The second: wtf is this command trying to do?
>
> I suspect I opened a hole last week by opening the Xwindows ports so I
> could do a xhost +localhost to let root run applications. But, I a quick
> check of some of the programs that a rootkit would replace: ie ps and
> netstat, and they arent small (ps is about 58k and netstat is nearly
> 87k).
>
> Thanks,
>
> Jason
----------------------------------------
Content-Type: application/pgp-signature; name="signature.asc"
Content-Transfer-Encoding: 7bit
Content-Description: This is a digitally signed message part
----------------------------------------
More information about the Discuss
mailing list