Re: Quick Cracked maybe ?

Tue, 4 Jan 2000 04:40:17 -0800 

Until you can verify otherwise, assume your box hass been compromised. 
Check the /sbin/rmt file to see if it has been altered, and if so,
when.  If you have another box with same idstro install, compare size
and dates.

Are you running amd? If so, make sure your patches are up to date,
because amd is a well known exploited service.  Also check your
/bin/login executable to see if it has been changed.  If you find
anything to tell you your ox has been cracked, your safest remedy is to
do a clean install of linux.  You might also consider installing
tripwire and portsentry as a minimum detection/reaction to portscanning
and detection of a compromised system.

Normally, syslog does a restart once a week (usually sunday morning at
4am on my box.  This occurs during the logrotate process.

Good luck/

Fred

Greg W wrote:
> 
> Hi all
> 
> Can anyone identify why or what may give or create this situation/s
> 
> logtest on FTP shows ....
>           Deleted       0 file(s)....
>           Transfered       1 file(s)....
>               /sbin/rmt c
> 
> What may  /sbin/rmt c     be ?   ideas ?  hard to know who transferred it,
> (mmm) have rmt but no rmt c  .....
> 
> what situation will create a    .pwd.lock  file in /etc    , specifically
> when doing what, or issuing what command, and from where  (like in shell or
> from a web server etc...)
> 
> I have double checked all files like hosts.allow , passwd , shadow ,
> inetd.conf , /tmp with no noticeable changes, am wondering if its some y2k
> thing, or if its the worst case scenario.....
> 
> (above is on same box, was only one left on over new years, FTP is wrapped
> and limited to only specific ip/service )
> 
> some other q's
> 
> What will su to xfs under normal operating conditions ?
>  Does anyone get unexplained restarts of sysklogd ?  or is it rock solid
> and will only be an attack that will stop it ?
> 
> is there any new exploits that are in the beta stage or specific due to y2k
> :-)
> 
> Can supply heaps more info if needed, off the list.......
> 
> Regards
> 
> Greg Wright
> IT Consultant Sydney Australia
> 
> --
> 
> *** Please trim any replies ***
> *** Please turn off HTML in your email ***
> *** Please don't use the list for test messages ***
> *** Why not read the archives? http://moongroup.com/redhat.phtml ***
> 
> --
> To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
> as the Subject.


-- 
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.

Reply via email to