Quoting "J. Bruce Fields" <[EMAIL PROTECTED]>: > On Fri, Nov 07, 2003 at 10:45:32AM -0800, Mike Egglestone wrote: > > Hi, > > My server was trojaned recently, not sure how. > > It looks like /bin/ps was modified or replaced with > > a trojan. > > Out of curiosity--how can you tell? I could tell because the ps file in /bin was only 8.5K. Also, if I ran #less /bin/ps (warn me about being binary, view anyway) There was some english text saying "Problem occured, trojan dumped".
> > How does this happen in the first place? Does someone need to steal the > root > > password and login and plant the trojan, or could this be remotely > exploited > > through a security hole in one of my installed packages? > > Could be. > > > I don't understand how files can get overwritten with out manually doing > it. > What lead you to believe there was a compromise in the first place? /etc/samba/ was completely empty. Workstations this morning were not logging into the samba server. > > Once you decide it was compromised, there's nothing you can do but start > over (very carefuly!) from scratch. It's hard to know for sure that > you've found all the backdoors.--b. I must run my updates more often I suppose. Thanks for your input. Luckily, I had my system on a seperate drive and so the re-install should go smoothly. I think I'll apt-get install snort too! Mike ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
