Hi, first I would get for instance chkrootkit from http://www.chkrootkit.org - unzip/untar type 'make sense' in ./chkrootkit-0.34 and then run ./chkrootkit This will probably detect the most basic infections/trojans etc. Read the README file - it explains what it will do for you. With lsof|grep IPv4 you will be able to see alot of info on listening programs and open connections - this might show you if your system is running any servers that you actually dont know of. I say 'might' because the smarter hacker will hide his presence by replacing important commands like ls, ps, netstat and maybe also lsof - in which case you cannot trust the results anymore. I have found attacks by also checking for suspicious files in dirs like /tmp and so on. Some silly script kiddies leave enough info to make it possible to identify most of their activity - at least thats what I have experienced. Hope this will give you a start. Erwin --- Marc Wiesenhütter wrote:
Hi, wenn i just checked users login with last, i found this entry
***** p*******p*** Thu Jan 1 01:00 still logged in
and user ***** is not known to me. the prozess table didn't show any strange thing so am I hacked or what does it mean? Any ideas welcome!
bye Marc
-- Erwin Zierler | web- / host- / postmaster - stubainet.at | erwin.zierler@stubainet.at / webmaster@stubainet.at | Tel.: 0 5225 - 64325 Fax 99 Mobil: 0664 - 130 67 91