On Tue, 11 Jan 2000, Widmann Thomas wrote:
the result of an finger command against a machine look's like:
syslogd: no process killed klogd: no process killed crond: no process killed rm: cannot remove `/etc/syslog.conf': No such file or directory
Looks like your "finger" is some sort of trojan that kills all log daemons, removes all files that limit access and adds some username to /etc/passwd, some service to /etc/inetd.conf and other stuff to startup files. Bad. Don't run it as root... Has your system been compromised in the past where you didn't do a clean reinstall? Then perhaps it's a leftover from then. If not, someone has injected that fake finger binary somehow. Where is it located (do a type finger). Is that directory world writable? If not, the user must have had root access to change it. Here's the standard cert link: URL: http://www.cert.org/tech_tips/root_compromise.html Maybe you could do a "rpm -Va" to run a verify on all packages. Though I guess that should be done after booting from a floppy to be completely sure that rpm itself hasn't been compromised. -- ============================================================================== Erwin Andreasen Herlev, Denmark <erw@dde.dk> UNIX System Programmer <URL:http://www.andreasen.org> <*> (not speaking for) DDE ==============================================================================