On Sun, 30 Dec 2001 the mental interface of Marc Wiesenhütter told:
"Erwin Zierler - stubainet.at" wrote:
Hi,
first I would get for instance chkrootkit from http://www.chkrootkit.org - unzip/untar type 'make sense' in ./chkrootkit-0.34 and then run ./chkrootkit
This will probably detect the most basic infections/trojans etc. Read the README file - it explains what it will do for you.
With lsof|grep IPv4 you will be able to see alot of info on listening programs and open connections - this might show you if your system is running any servers that you actually dont know of. I say 'might' because the smarter hacker will hide his presence by replacing important commands like ls, ps, netstat and maybe also lsof - in which case you cannot trust the results anymore. I have found attacks by also checking for suspicious files in dirs like /tmp and so on. Some silly script kiddies leave enough info to make it possible to identify most of their activity - at least thats what I have experienced.
Hope this will give you a start.
Erwin
---
Hi, thanks for your advise, i checked the 3 things, but there is nothing strange at all. Everything looks normal but this user. Where can I get any infos in my logs where ***** comes from? Hi Erwin,
did you checked your /etc/passwd | grep ***** ? Ciao Elimar -- It's a good thing we don't get all the government we pay for. --