Mailinglist Archive: opensuse-security (465 mails)

< Previous Next >
Re: [suse-security] user ***** - am I hacked?
  • From: "Erwin Zierler - stubainet.at" <erwin.zierler@xxxxxxxxxxxx>
  • Date: Sun, 30 Dec 2001 13:15:33 +0100
  • Message-id: <3C2F0565.1020408@xxxxxxxxxxxx>
Hi,

first I would get for instance chkrootkit from
http://www.chkrootkit.org - unzip/untar type 'make sense'
in ./chkrootkit-0.34 and then run ./chkrootkit

This will probably detect the most basic infections/trojans
etc. Read the README file - it explains what it will do for you.

With lsof|grep IPv4 you will be able to see alot of info on
listening programs and open connections - this might show
you if your system is running any servers that you actually
dont know of. I say 'might' because the smarter hacker will
hide his presence by replacing important commands like ls, ps,
netstat and maybe also lsof - in which case you cannot trust
the results anymore. I have found attacks by also checking
for suspicious files in dirs like /tmp and so on. Some silly
script kiddies leave enough info to make it possible to
identify most of their activity - at least thats what I have
experienced.

Hope this will give you a start.

Erwin

---
Marc Wiesenhütter wrote:

Hi,
wenn i just checked users login with last, i found this entry

***** p*******p*** Thu Jan 1 01:00 still logged
in

and user ***** is not known to me. the prozess table didn't show any
strange thing so am I hacked or what does it mean?
Any ideas welcome!

bye
Marc





--
Erwin Zierler | web- / host- / postmaster - stubainet.at
| erwin.zierler@xxxxxxxxxxxx / webmaster@xxxxxxxxxxxx
| Tel.: 0 5225 - 64325 Fax 99 Mobil: 0664 - 130 67 91


< Previous Next >
Follow Ups
References