Re: Have I Been Hacked?

Sun, 04 Mar 2001 12:17:23 -0800 

At 03:21 PM 3/4/2001 -0400, you wrote:
>Run a "ps ax | grep "/usr/local/sbin/s"  By doing the ps ax, it will
>not display the usernames, and will give you more of the process
>name.  Also note that it's not necessarily you that may have run the
>process...many daemon processes run whenever they run.  It'll be
>helpful to know what the process is.

Hmmm... I copied and pasted that line, hit *enter*, then realized (because 
of the *>* prompt) that I'd forgotten the closing quote mark, entered that 
and got a bunch of stuff. But when I ran it the second time I didn't.

 >>>
   PID TTY      STAT   TIME COMMAND
     1 ?        S      0:05 init [5]
     2 ?        SW     0:00 [kflushd]
     3 ?        SW     0:00 [kupdate]
     4 ?        SW     0:00 [kpiod]
     5 ?        SW     0:00 [kswapd]
     6 ?        SW<    0:00 [mdrecoveryd]
   312 ?        S      0:00 portmap
   367 ?        S      0:05 syslogd -m 0
   378 ?        S      0:00 klogd
   394 ?        S      0:00 /usr/sbin/atd
   410 ?        S      0:00 crond
   430 ?        S      0:00 inetd
   446 ?        S      0:00 lpd
   521 ?        S      0:02 /usr/sbin/httpsd -DSSL
   531 ?        S      0:00 sh /usr/bin/safe_mysqld 
--datadir=/var/lib/mysql --pi
   582 ?        S      0:00 xfs -droppriv -daemon -port -1
   606 ?        S      0:00 /usr/sbin/mysqld --basedir=/ 
--datadir=/var/lib/mysql
   609 ?        S      0:00 /usr/sbin/mysqld --basedir=/ 
--datadir=/var/lib/mysql
   610 ?        S      0:00 /usr/sbin/mysqld --basedir=/ 
--datadir=/var/lib/mysql
   635 ?        S      0:00 interchange
   661 ?        S      0:07 /usr/local/sbin/sshd
   669 tty1     S      0:00 /sbin/mingetty tty1
   670 tty2     S      0:00 /sbin/mingetty tty2
   671 tty3     S      0:00 /sbin/mingetty tty3
   672 tty4     S      0:00 /sbin/mingetty tty4
   673 tty5     S      0:00 /sbin/mingetty tty5
   674 tty6     S      0:00 /sbin/mingetty tty6
   675 ?        S      0:00 /usr/bin/gdm -nodaemon
   685 ?        S      0:00 perl /usr/libexec/webmin/miniserv.pl 
/etc/webmin/mini
   983 ?        Z      0:00 [X <defunct>]
   984 ?        Z      0:00 [gdm <defunct>]
  8087 ?        S      0:00 in.identd -e -o
  8091 ?        S      0:00 in.identd -e -o
  8092 ?        S      0:00 in.identd -e -o
  8093 ?        S      0:00 in.identd -e -o
  8094 ?        S      0:00 in.identd -e -o
  8095 ?        S      0:00 in.identd -e -o
  8096 ?        S      0:00 in.identd -e -o
  8097 ?        S      0:00 in.identd -e -o
  8098 ?        S      0:00 in.identd -e -o
  8099 ?        S      0:00 in.identd -e -o
  8100 ?        S      0:00 in.identd -e -o
16251 ?        S      0:00 sendmail: accepting connections on port 25
22288 ?        S      0:00 /usr/sbin/httpsd -DSSL
22289 ?        S      0:00 /usr/sbin/httpsd -DSSL
22290 ?        S      0:00 /usr/sbin/httpsd -DSSL
22291 ?        S      0:00 /usr/sbin/httpsd -DSSL
22292 ?        S      0:02 /usr/sbin/httpsd -DSSL
22293 ?        S      0:00 /usr/sbin/httpsd -DSSL
22294 ?        S      0:00 /usr/sbin/httpsd -DSSL
22295 ?        S      0:00 /usr/sbin/httpsd -DSSL
22296 ?        S      0:00 /usr/sbin/httpsd -DSSL
22297 ?        S      0:00 /usr/sbin/httpsd -DSSL
  2819 ?        S      0:00 /usr/sbin/mysqld --basedir=/ 
--datadir=/var/lib/mysql
  2823 ?        S      0:00 /usr/sbin/mysqld --basedir=/ 
--datadir=/var/lib/mysql
  2827 ?        S      0:00 /usr/sbin/mysqld --basedir=/ 
--datadir=/var/lib/mysql
  2828 ?        S      0:00 /usr/sbin/mysqld --basedir=/ 
--datadir=/var/lib/mysql
  2829 ?        S      0:02 /usr/sbin/httpsd -DSSL
  3321 ?        S      0:00 /usr/sbin/httpsd -DSSL
  3322 ?        S      0:00 /usr/sbin/httpsd -DSSL
  3849 ?        S      0:00 /usr/local/sbin/sshd
  3850 pts/0    S      0:00 -bash
  3945 pts/0    S      0:00 su root
  3946 pts/0    S      0:00 bash
  4232 ?        S      0:00 /usr/local/sbin/sshd
  4233 pts/1    S      0:00 -bash
  4304 ?        S      0:00 /usr/sbin/mysqld --basedir=/ 
--datadir=/var/lib/mysql
  4346 pts/1    S      0:00 su root
  4347 pts/1    S      0:00 bash
  4807 pts/1    R      0:00 ps ax
  4808 pts/1    R      0:00 bash
thewebsons:/apache/vhosts/downloads/chkrootkit-0.22# ps ax | grep 
"/usr/local/sb
in/s"|more
   661 ?        S      0:07 /usr/local/sbin/sshd
  3849 ?        S      0:00 /usr/local/sbin/sshd
  4232 ?        S      0:00 /usr/local/sbin/sshd
  4810 pts/1    S      0:00 grep /usr/local/sbin/s
thewebsons:/apache/vhosts/downloads/chkrootkit-0.22# ps ax | grep 
"/usr/local/sb
in/s"
   661 ?        S      0:07 /usr/local/sbin/sshd
  3849 ?        S      0:00 /usr/local/sbin/sshd
  4232 ?        S      0:00 /usr/local/sbin/sshd
<<<

As to what they did or didn't do...assuming that someone has gotten
>in, I have no idea.

Well, *did* they get in, or do we know? Did they get in as far as tty1 and 
stop cold? Or, since they apparently logged in as root, did they gain 
access to the entire box through tty1? If they did, how should I go about 
protecting the machine? Changing the password would not only be useless, it 
would tip them off that I know what happened.
TIA,
BenO



_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list

Reply via email to