*********** REPLY SEPARATOR ***********
On 4/01/00 at 5:42 Frederic Herman wrote:
>Until you can verify otherwise, assume your box hass been compromised.
>Check the /sbin/rmt file to see if it has been altered, and if so,
>when. If you have another box with same idstro install, compare size
>and dates.
When checking size file appears to be 6852 bytes on RH6.0 set 0755
>
>Are you running amd? If so, make sure your patches are up to date,
>because amd is a well known exploited service.
so amd uses this file huh ?
Also check your
>/bin/login executable to see if it has been changed.
it shows 20164 bytes ............set 4755
>
>Normally, syslog does a restart once a week (usually sunday morning at
>4am on my box. This occurs during the logrotate process.
I will have to check the syslog shutdowns again........
>
>Good luck/
>
>Greg W wrote:
>>
>> Hi all
>>
>> Can anyone identify why or what may give or create this situation/s
>>
>> logtest on FTP shows ....
>> Deleted 0 file(s)....
>> Transfered 1 file(s)....
>> /sbin/rmt c
>>
>> What may /sbin/rmt c be ? ideas ? hard to know who transferred
it,
>> (mmm) have rmt but no rmt c .....
>>
>> what situation will create a .pwd.lock file in /etc ,
specifically
>> when doing what, or issuing what command, and from where (like in shell
or
>> from a web server etc...)
>>
>> I have double checked all files like hosts.allow , passwd , shadow ,
>> inetd.conf , /tmp with no noticeable changes, am wondering if its some
y2k
>> thing, or if its the worst case scenario.....
>>
>> (above is on same box, was only one left on over new years, FTP is
wrapped
>> and limited to only specific ip/service )
>>
>> some other q's
>>
>> What will su to xfs under normal operating conditions ?
>> Does anyone get unexplained restarts of sysklogd ? or is it rock solid
>> and will only be an attack that will stop it ?
>>
>> is there any new exploits that are in the beta stage or specific due to
y2k
>> :-)
>>
>> Can supply heaps more info if needed, off the list.......
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
