Mailinglist Archive: opensuse-security (465 mails)

< Previous Next >
Re: [suse-security] user ***** - am I hacked?
  • From: Elimar Riesebieter <elimar.riesebieter@xxxxxxxxxxx>
  • Date: Sun, 30 Dec 2001 13:45:40 +0100
  • Message-id: <20011230134540.E1211@local>
On Sun, 30 Dec 2001 the mental interface of Marc Wiesenhütter told:

> "Erwin Zierler - stubainet.at" wrote:
>
> > Hi,
> >
> > first I would get for instance chkrootkit from
> > http://www.chkrootkit.org - unzip/untar type 'make sense'
> > in ./chkrootkit-0.34 and then run ./chkrootkit
> >
> > This will probably detect the most basic infections/trojans
> > etc. Read the README file - it explains what it will do for you.
> >
> > With lsof|grep IPv4 you will be able to see alot of info on
> > listening programs and open connections - this might show
> > you if your system is running any servers that you actually
> > dont know of. I say 'might' because the smarter hacker will
> > hide his presence by replacing important commands like ls, ps,
> > netstat and maybe also lsof - in which case you cannot trust
> > the results anymore. I have found attacks by also checking
> > for suspicious files in dirs like /tmp and so on. Some silly
> > script kiddies leave enough info to make it possible to
> > identify most of their activity - at least thats what I have
> > experienced.
> >
> > Hope this will give you a start.
> >
> > Erwin
> >
> > ---
>
> Hi,
> thanks for your advise, i checked the 3 things, but there is nothing
> strange at all. Everything looks normal but this user.
> Where can I get any infos in my logs where ***** comes from?
Hi Erwin,

did you checked your /etc/passwd | grep ***** ?

Ciao

Elimar


--
It's a good thing we don't get all
the government we pay for.
--

< Previous Next >