>Looks like someone was knocking... Is there any way to tell if they got in?
>
>################## LogWatch 1.6.6 Begin #####################
>
>
> --------------------- Cron Begin ------------------------
>Commands Run:
> User root:
> /sbin/rmmod -as: 144 Time(s)
> run-parts /etc/cron.daily: 1 Time(s)
> run-parts /etc/cron.hourly: 24 Time(s)
This is your cron stuff, quite normal. rmmod -as removes any unused
autocleanable modules, as well as outputting everything to syslog. Cron
daily and cron hourly are your daily and hourly crontabs
respectively. check out /etc/cron.daily and /etc/cron.hourly also of
interest would be crontab -l and see if there is anything in there you
don't know.
Might also want to do a quick security check of your /etc/passwd file as
well as /etc/inetd.conf If you have access to a port scanner run it
against your machine.
> --------------------- ftpd-messages Begin ------------------------
>
>Anonymous FTP Logins:
> 24.64.182.188.on.wave.home.com (24.64.182.188):
>悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙
>悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙
>悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙
>悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙
>悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙悙𐝣1砂F虴UR11跜?貯?虴UR雓^11
>峖^A^F^Df^A'虴UR1缻^^A=虴UR11蹗^^H?C^B1绳1缻^^H癪L虴URu1繼F^I峖^H=
>虴UR⺗N0^F^D1繼F^G?v^H?F^L?髰N^H峍^L癪K虴UR11郯^A虴UR钀0bin0sh1..11
>- 1 Time(s)
>
>翳簕.n+壏櫒キ鏰j哜炈Z朹鍔畓aj哕"�顬藳笔鈓镖藏^J驺y
>
This could be a problem. There was recently discovered a remote root
exploit in wu-ftpd and if you havn't upgraded I would say there is a very
good chance someone has gotten in.
Check for signs of having a rootkit installed. Also check your
/root/.bash_history file to see what commands have been run as root (Not
always listed in there but some script kiddies forget about that file.)
Also try a generic ls -al | more and see if your . dot directories are
listed. If you see anything strange then install a fresh fileutils
package (fileutils-4.0-21 is the redhat 6.2 package) (rpm --force
/mnt/cdrom/RedHat/i386/RPMS/fileutils-4.0-21.i386.rpm as well as procps
package (rpm --force /mnt/cdrom/RedHat/i386/RPMS/procps-2.0.6-5.i386.rpm)
Other than that if you see signs that someone has gotten in baqckup your
needed data and reinstall the OS and install all the secutiry patches as
well as shut off everythinmg you don't *NEED*
Have fun, and http://www.cert.org might be of assistance as well.
Chris
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
