On Tue, 08 Aug 2000, you wrote:
> Ok, I have found the replaced files in the /bin directory. They replaced the
> login, ls, netstat, ps, and pwd files. I have restored those from the backup
> and am able to get into the server again. I was able to access the server by
> enabling the rlogin from single user mode and logging in remotely. Is there
> any way to look at these files to see what exactly there were doing. I may
> be able to get additional information to track this person down. The
> anonyous ftp came from Aurora.kerszov.hu (194.196.10.181)
>
Chances are the attack didn't actually come from that machine, but
was routed through that machine.
John
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
