On Sun, 04 Mar 2001 12:30:32 -0800, Ben Ocean wrote:
>thewebsons:/apache/vhosts/downloads/chkrootkit-0.22# ps ax | grep
>"/usr/local/sb
>in/s"|more
> 661 ? S 0:07 /usr/local/sbin/sshd
> 3849 ? S 0:00 /usr/local/sbin/sshd
> 4232 ? S 0:00 /usr/local/sbin/sshd
> 4810 pts/1 S 0:00 grep /usr/local/sbin/s
>thewebsons:/apache/vhosts/downloads/chkrootkit-0.22# ps ax | grep
>"/usr/local/sb
>in/s"
> 661 ? S 0:07 /usr/local/sbin/sshd
> 3849 ? S 0:00 /usr/local/sbin/sshd
> 4232 ? S 0:00 /usr/local/sbin/sshd
These are teh lines you were concerned about...I wouldn't be
concerned about them.
>As to what they did or didn't do...assuming that someone has gotten
>>in, I have no idea.
>
>Well, *did* they get in, or do we know? Did they get in as far as tty1 and
>stop cold? Or, since they apparently logged in as root, did they gain
>access to the entire box through tty1? If they did, how should I go about
>protecting the machine? Changing the password would not only be useless, it
>would tip them off that I know what happened.
That's what I'm saying...tty1 is the physical machine. They couldn't
have gotten in via tty1, unless there's some new kit that manages to
redirect it out to the network.
I'd be inclined to say no.
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
