Re: Re: Re: [SLE] hack attempt?
i told him to do an lsmod to see what modules are loaded. some root kits work via kernel modules.
Yes...thats very good thinking. One way of making sure nothing else goes wrong, is to stop "inetd" running. Disallow access to "unsecure" programs such as "telnet", "rlogin", etc (but then you'd be using SSH, so that should not matter). Also, only allow access to "su" to trusted members. Perhaps use SUDO to allow access to su to everyone who is in the "sugroup" say. Change all the passwords (including root). Disallow root to SSH, and enforce "su" to trusted members. But then, this of course does not solve how/why your hacking occured. Its a start though. --Thomas Adam
On Wed, 10 Oct 2001, THOMAS ADAM wrote:
Unfortunately, I have lost the original thread of this e- mail, but..............
okay, top gave you what it was supposed to, a list of processes running on the machine. some root kits will put a trojan in top
when you run it
you get a root prompt, thats why i suggested running it and seeing what happened. if lsmod didnt work, try /sbin/lsmod
Paranoid? :-)
On Tue, 9 Oct 2001, gabriel wrote:
"top" gave me a whole lot of information i didn't understand and there are no .gz files in the /var/log directory and lsmod didn't work...
What device are you trying to load via "insmod" first of all. "lsmod", lists those devices which have been loded (typically from "/lib/modules/kernel-version"). These include things like eth0 interfaces, printers, etc.
This can then be checked via the "/proc" directory.
If you could give me the original thread (I cannot connected to suse.co.uk for some reason), I'll try and help
--Thomas Adam
could this be from someone cutting the power and then restoring it?
From:
Date: Tue, 9 Oct 2001 16:40:51 -0500 (CDT) To: gabriel Cc: SuSE Linux E Subject: Re: [SLE] hack attempt? also, do an lsmod and see what modules are loaded? maybe do a "top" and see if you get a root prompt, do a netstat -a -n -c and see what all network traffic you have going out and in and do a port scan of your machine to see if any strange ports are open.
On Tue, 9 Oct 2001, gabriel wrote:
k i've been going crazy i think someones been hacking into my webserver but i don't know how to be sure
typing "last" at the command line returns a list of past logins but also on that list is
reboot system boot 2.4.4-4GB [date] [time] (01:20)
and my messages.log file is cleared to that date ie, i have no entries from before october 9th @ 11:49 the time this "reboot" happened
does anyone know what's going on? any suggestions?
-- To unsubscribe send e-mail to suse-linux-e- unsubscribe@suse.com For additional commands send e-mail to suse-linux- e- help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com
Chad Whitten Network/Systems Administrator neXband Communications chadwick@nexband.com
-- To unsubscribe send e-mail to suse-linux-e- unsubscribe@suse.com For additional commands send e-mail to suse-linux-e- help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com
-- To unsubscribe send e-mail to suse-linux-e- unsubscribe@suse.com For additional commands send e-mail to suse-linux-e- help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com
Chad Whitten Network/Systems Administrator neXband Communications chadwick@nexband.com
-- To unsubscribe send e-mail to suse-linux-e- unsubscribe@suse.com For additional commands send e-mail to suse-linux-e- help@suse.com Also check the FAQ at http://www.suse.com/support/faq and the archives at http://lists.suse.com
Thomas Adam "The Linux Weekend Mechanic" --
A Student at the "Southampton Institute", Southampton, Hants, ENGLAND
Chad Whitten Network/Systems Administrator neXband Communications chadwick@nexband.com
-- To unsubscribe send e-mail to suse-linux-e- unsubscribe@suse.com For additional commands send e-mail to suse-linux-e- help@suse.com Also check the FAQ at http://www.suse.com/support/faq and
and the
archives at http://lists.suse.com
Thomas Adam
"The Linux Weekend Mechanic" --
participants (1)
-
THOMAS ADAM