On Sun, 04 Mar 2001 11:39:39 -0800, Ben Ocean wrote:
>> >>tty1 is your primary console, on the physical machine.
>> >
>> >Please tell me how this relates to my concern.
>>
>>Don't be snippy about it, now.
>
>Hell, I ain't being snippy! It's an honest question.
>
>>If tty1 is the primary physical console (ie, your keyboard, monitor
>>and system, at Alt-F1), I'm curious as to whether 1) root is logged
>>in at the console and you're not aware of it
>
>doubt it. They don't even have SSH access and they sure as heck aren't in
>Greece.
SSH wouldn't do you any good at the physical console. The physical
console means sitting in front of the machine, in question, and
logged in via its keyboard and monitor.
>>, or 2) someone hacked in
>>and it's showing as from tty1.
>
>Okay, so if that's it, then what? I ran a ps and this is all that showed:
> PID TTY TIME CMD
> 4233 pts/1 00:00:00 bash
> 4244 pts/1 00:00:00 ps
Just a straight "ps" will only show you your active tasks from your
current session.
You'd need to do a ps aux to get a list of everything, and if you do
a ps aux | grep root, you'll get every process currently run by root,
unless "ps" has been compromised.
My suggestion is to get a copy of chkrootkit, compile it, su to root,
and run it. It checks for the presence of most, if not all, of the
currently active rootkits.
>> >>Is anyone else aware of any rootkits that point the physical tty's at
>> >>something virtual?
>> >
>> >What do you mean by this question?
>>
>>*blink*
>
>?
>
>
>
>
>>_______________________________________________
>>Redhat-list mailing list
>>[EMAIL PROTECTED]
>>https://listman.redhat.com/mailman/listinfo/redhat-list
>
>
>
>_______________________________________________
>Redhat-list mailing list
>[EMAIL PROTECTED]
>https://listman.redhat.com/mailman/listinfo/redhat-list
>
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
