Joe & Sesil Morris (NTM) wrote:
cd "`echo -e '\057\150\157\155\145\057\152\157\145'`"
that are all cd's to directorys...: echo -e '\057\150\157\155\145\057\152\157\145' gives: /home/joe so it was a cd to /home/joe (maybe intruder account?) you can check by yourself the rest of the cds ;)
BTW, this is SuSE 8.0. I still haven't figured out how they got in.
http://www.suse.de/en/support/download/updates/80_i386.html there you find a list of all security updates for 8.0 (some...)
I run SUSEfirewall2, and all incoming ports are blocked on the internet interface. I tried to compile chkrootkit and no go, so I need some help, if you would be so kind. Thanks.
how do you try to compile ant whats the error? first of all, you should take the box away from the internet (if you don't have already done ;), then use chrootkit, or if you used tripwire etc. to check which files are changed. Marc's seccheck may also help. HTH Sven