Re: Somebody's knocking...

Juan Martinez Mon, 31 Jul 2000 09:34:21 -0700
The command to check /bin by modtime is: "ls -altc /bin"

The man page says you need the -t with -c if you want to see
things "float to the top" by ctime instead of by name.


Juan

-- 
Write a wise saying and your name will live forever.
                -- Anonymous

On Mon, 31 Jul 2000, Brian Ashe wrote:

> Date: Mon, 31 Jul 2000 10:52:13 -0400
> From: Brian Ashe <[EMAIL PROTECTED]>
> To: "Burke, Thomas G." <[EMAIL PROTECTED]>
> Subject: Re: Somebody's knocking...
> Resent-Date: 31 Jul 2000 14:53:19 -0000
> Resent-From: [EMAIL PROTECTED]
> Resent-cc: recipient list not shown: ;
> 
> Hi Thomas,
> 
> The first way to tell if you were compromised is if you can still log in.
> Most root kits replace /bin/login. If for some reason your hacker did not,
> you can also do a ls -alc /bin to see if any thing floats to the top. If
> a root kit was installed the dates wont match and you will at least see ps
> move to the top.
> 
> If all of your updates are done, they most likely didn't get in.
> 
> Have fun,
> -- 
> _________________________________________________________________
>  Brian Ashe                     CTO
>  [EMAIL PROTECTED]              Dee-Web Software Services, LLC.
>  http://www.dee-web.com/
> -----------------------------------------------------------------
> Those who desire to give up Freedom in order to gain Security,
> will not have, nor do they deserve, either one.
> 
> Monday, July 31, 2000, 9:13:49 AM, you wrote:
> 
> BTG> Looks like someone was knocking...  Is there any way to tell if they got in?
> 
> BTG> ################## LogWatch 1.6.6 Begin ##################### 
> 
> 
> BTG>  --------------------- Cron Begin ------------------------ 
> BTG> Commands Run:
> BTG>    User root:
> BTG>          /sbin/rmmod -as: 144 Time(s)
> BTG>       run-parts /etc/cron.daily: 1 Time(s)
> BTG>       run-parts /etc/cron.hourly: 24 Time(s)
> 
> 
> BTG>  ---------------------- Cron End ------------------------- 
> 
> 
> 
> BTG>  --------------------- ftpd-messages Begin ------------------------ 
> 
> BTG> Anonymous FTP Logins:
> BTG>    24.64.182.188.on.wave.home.com (24.64.182.188):
> BTG> 
> BTG> 
> BTG> 
> BTG> 
> BTG> 1À1Û1É°FÍEUR1À1ÛC?ÙA°?ÍEURëk^1À1É
> BTG> ^^A^F^Df¹ÿ^A°'ÍEUR1À^^A°=ÍEUR1À1Û^^H?C^B1ÉþÉ1À^^H°^LÍEURþÉuó1À^F^I^^H°=
> BTG> ÍEURþ^N°0þÈ^F^D1À^F^G?v^H?F^L?óN^HV^L°^KÍEUR1À1Û°^AÍEURèÿÿÿ0bin0sh1..11
> BTG> - 1 Time(s)
> 
> BTG> ÿôèº{.nÇ+‰·ÿ™¨¥çajßåŠËÿê®zËÿçajßÜ¢l"¶îžË›±ÊâmïÚ²Ø^JæãyËÿ
> 
> 
> 
> -- 
> To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
> as the Subject.
> 


--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
Re: Somebody's knocking...

Reply via email to
