On Saturday 16 September 2006 11:10, Tage Danielsen wrote:
When did they switch? With 10.0?
SLES 9 still uses syslog, but my 10.1 machine uses syslog-ng?
Tage has BOTH running!!
I think he's likely rooted, and I'm betting they DO have root.
Maybe the result is reinstall, but I still like to find where the hole is, if it is genral I will be hacked again.
To start with, what do you have running in your apache? You also have webmin listening to the world. And samba and cups Go through the log files from those services around the time when the strange traffic started happening, and see if you see anything unusual But please take the machine off the internet while you're investigating
My 10.1 is an upgrade from 9.3 maybe that's is the reason for both syslogd and syslog-ng??
No. First of all, no normal syslogd will connect to an IRC server. Secondly, 9.3 was already using syslog-ng. It is part of a root kit