On Sun, 04 Mar 2001 12:04:25 -0800, Ben Ocean wrote:
>At 02:45 PM 3/4/2001 -0400, you wrote:
>>You'd need to do a ps aux to get a list of everything, and if you do
>>a ps aux | grep root, you'll get every process currently run by root,
>>unless "ps" has been compromised.
>
>This is what came from running that command:
<snip>
>root 1 0.0 0.1 1104 460 ? S Feb22 0:05 init [5]
>root 2 0.0 0.0 0 0 ? SW Feb22 0:00 [kflushd]
>root 3 0.0 0.0 0 0 ? SW Feb22 0:00 [kupdate]
>root 4 0.0 0.0 0 0 ? SW Feb22 0:00 [kpiod]
>root 5 0.0 0.0 0 0 ? SW Feb22 0:00 [kswapd]
>root 6 0.0 0.0 0 0 ? SW< Feb22 0:00 [mdrecoveryd]
>root 3849 0.0 0.5 2784 1468 ? S 10:30 0:00
>root 4232 0.0 0.5 2784 1468 ? S 11:40 0:00
>/usr/local/sbin/s
>
>Feb 22 was probably the last cold boot.
>What's that last entry? I wasn't in that directory today.
Run a "ps ax | grep "/usr/local/sbin/s" By doing the ps ax, it will
not display the usernames, and will give you more of the process
name. Also note that it's not necessarily you that may have run the
process...many daemon processes run whenever they run. It'll be
helpful to know what the process is.
>>My suggestion is to get a copy of chkrootkit, compile it, su to root,
>>and run it. It checks for the presence of most, if not all, of the
>>currently active rootkits.
>
>Thanks, Michael. I did that. It looks like all is well <sigh*> It did kick
>this one thing back:
>
> >>>
>Checking `z2'... lastlog entry may be corrupted
><<<
>
>How do I check on that? Also, if they *did* log on as root, *how* did they
>get my passwd and *why* were they unable to do damage?
I get that message, too...I wouldn't worry too much on that...I
believe it to be a side effect of logrotate.
As to what they did or didn't do...assuming that someone has gotten
in, I have no idea.
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
