I had the following messages on my daily report for one of my web servers
today:
Checking Packages...
changes from previous run...
---
1a2
> ..5..... /usr/sbin/smbd
15a17,18
> ..5..... /usr/sbin/imapd
> S.5..UG. /usr/sbin/named
18c21
< .......T c /var/log/mars_nwe.log
---
> S.5....T c /var/log/mars_nwe.log
19a23
> S.5..... /bin/netstat
25a30,31
> SM5..... /bin/ps
> SM5..... /usr/bin/top
67a74,75
> S.5..... /bin/ls
> S.5..... /usr/bin/du
92c100
< ......G. /dev/ttyp1
---
> .M...UG. /dev/ttyp1
117a126
> SM5..... /usr/sbin/in.rshd
118a128
> SM5..... /bin/login
---
I assume this means I have been hacked. Am I right? I compared all the
file sizes to another server and all the files seem to be a bit larger in
size. I have copied all the files from the other identical server
and overwrote the files. And I changed all the passwords on the system.
Is there anything else I should do?
Thanks,
-Bryan Opfer
--
PLEASE read the Red Hat FAQ, Tips, Errata and the MAILING LIST ARCHIVES!
http://www.redhat.com/RedHat-FAQ /RedHat-Errata /RedHat-Tips /mailing-lists
To unsubscribe: mail [EMAIL PROTECTED] with
"unsubscribe" as the Subject.
