Mailinglist Archive: opensuse-security (465 mails)

< Previous Next >
Re: [suse-security] Have I been hacked?
  • From: Gerhard Sittig <Gerhard.Sittig@xxxxxxx>
  • Date: Mon, 3 Dec 2001 06:48:11 +0100
  • Message-id: <20011203064811.G21918@xxxxxxxxxxxxxxxxxxxxxxx>
[ I managed to delete the original message, so I'm replying here ]

On Sat, Dec 01, 2001 at 09:53 -0500, Nick Zentena wrote:
> On December 1, 2001 06:33 am, Hans Körber wrote:
> > Hallo,
> >
> > I found user "nobody" performing a "find" on my linux box few days ago.

Can you look at the ps(1) manpage and look up its -f option? Or
can you be bothered to work with the pstree(1) command?

This looks like one of the regular cron jobs running in the early
morning or whenever your cron ticks again (ISTR SuSE put some
logic in to "catch up" with missed jobs since more and more people
don't have their UNIX boxes running 24/7, plus cannot be bothered
to switch to fcron :).

> > In the /home section of the filesystem I found a subdirectory "httpd"
> > which I did not create. The "httpd" directory itself contained a
> > subfolder, "bin-cgi". I didn't find any other changes.

It's not so much about security. It's more that you should get
familiar with the usual administrator's tools. Use rpm(1) -- at
the command line or by means of one of the numerous frontends --
to learn where the files come from. Only if you didn't install
the appropriate package yourself or the checksum doesn't fit any
longer on non config files you should be concerned.

Try something along the lines of "rpm -qi -f /home/httpd" and
maybe look at the "rpm -ql" output then.


virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76
Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@xxxxxxx
--
If you don't understand or are scared by any of the above
ask your parents or an adult to help you.

< Previous Next >
List Navigation