On Tue, 4 Jan 2000, Justin Zygmont wrote:
> you can try to find out where they telneted from and maybe how from the
> /var/log/messages, then backup all important stuff and reinstall.
Unless they are very stupid with a very poor rootkit, their activity is
most likely not being recorded in /var/log/messages (replaced syslogd)
and they most likely removed entries that showed their initial activity
before they stopped the logging. Thus, don't have too high hopes about
tracing them. On the other hand, if you are able to
"see" their activity, maybe you're lucky enough to have some of the
least skillful and poorest equipped crackers, because they must not
have replaced enough utilities (ps?). If you fire up a private
copy of syslogd under a different name, you might be able to see
their activity. Of course, there is no guarantee that traceroute will
take you to them, since they may be taking a series of hops through
various other boxes that they've hacked to get to you and the trace
just often fails to complete.
It doesn't hurt to try, but don't wait too long to pull the plug and
re-install.
<snip>
> On Fri, 16 Feb 2001, Ed Lazor wrote:
>
> > Someone hacked into one of my systems and I can see them running
> > stuff. They seem to have a rootkit installed, because nothing shows up
> > under who or w. Is there anything I can do to trace them while they are
> > doing this stuff to catch them?
>
--
***************************************************************************
Jerry Winegarden OIT/Technical Support Duke University
[EMAIL PROTECTED] http://www-jerry.oit.duke.edu
***************************************************************************
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
