Re: can not log in as root or a user

Jack Bowling Tue, 08 Aug 2000 21:16:24 -0700
** Reply to message from "Gary Carr" <[EMAIL PROTECTED]> on Tue, 8
Aug 2000 13:59:20 -0400


> Ok, I have found the replaced files in the /bin directory. They replaced the
> login, ls, netstat, ps, and pwd files. I have restored those from the backup
> and am able to get into the server again. I was able to access the server by
> enabling the rlogin from single user mode and logging in remotely. Is there
> any way to look at these files to see what exactly there were doing. I may
> be able to get additional information to track this person down. The
> anonyous ftp came from Aurora.kerszov.hu (194.196.10.181)

And here is a paste of a traceroute to the given host using Matt's
Traceroute:


                                       Matt's traceroute  [v0.42]
Nonesuch                                                               
Tue Aug  8 21:18:28 2000
Keys:  D - Display mode    R - Restart statistics    Q - Quit
                                                                  
Packets               Pings
Hostname                                                        %Loss 
Rcv  Snt  Last Best  Avg  Worst
 1. bc-pgr-a53-01.look.ca                                          0% 
201  202   117   86  112    176
 2. bc-van-hbr-r75-02-fe8-1-0.look.ca                              0% 
201  202   152   94  126    256
 3. bc-van-hbr-r75-01-fe0-0-0.look.ca                              0% 
201  201   122   97  132    416
 4. ???
 5. 104.ATM2-0.XR1.VAN1.ALTER.NET                                  0% 
201  201   126   93  122    185
 6. 195.at-2-0-0.TR1.CAL1.ALTER.NET                                0% 
201  201   126  107  136    217
 7. 116.at-5-0-0.TR1.SAC1.ALTER.NET                                0% 
201  201   235  202  229    346
 8. 197.at-1-0-0.XR1.SAC1.ALTER.NET                                0% 
201  201   206  167  194    304
 9. 185.ATM7-0.BR3.SAC1.ALTER.NET                                  0% 
201  201   296  167  194    296
10. sfra1sr4-at-2-0-0-0.ca.us.prserv.net                           0% 
201  201   236  174  198    260
11. sfra1br1-ge-1-0-0-0.ca.us.prserv.net                           0% 
201  201   267  166  197    267
12. beth1br2-so-6-2-0-0.md.us.prserv.net                           0% 
201  201   267  207  237    301
13. beth1br1-ge-6-3-0-0.md.us.prserv.net                           0% 
201  201   269  206  238    375
14. nyor1br2-so-6-2-0-0.ny.us.prserv.net                           0% 
201  201   256  224  250    346
15. nyor1sr1-10-1-0.ny.us.prserv.net                               0% 
201  201   230  225  254    437
16. nyc-br4-s4-p0.ny.us.prserv.net                                 0% 
201  201   315  305  331    397
17. port1br1-10-0-0.pt.uk.ibm.net                                  0% 
201  201   327  305  333    447
18. buda1br1.bu.hu.ibm.net                                         8% 
184  201   397  376  410    485 



Either on the ibm.net domain or spoofed to appear to be.


Jack Bowling
Prince George, BC
mailto:[EMAIL PROTECTED]



_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: can not log in as root or a user

Reply via email to
