[CentOS] I appear to be attacking others

Sun Feb 5 16:14:35 UTC 2006
Ralph Angenendt <ra+centos at br-online.de>

Chris Mauritz wrote:
> Lot's of good advice.  I'd also check for rootkits.  There are a couple 
> of "rootkit checkers" available.  You just download the source and 
> compile/execute them.  I've used this one with some success to de-louse 
> a friend's game server:
> 
> http://www.chkrootkit.org/

That would be a very dumb rootkit if one was installed on the server, as
the offending processes could be found with "ps" and "ls" showed the
directory and the files in there. Yes, one can never know *if* a rootkit
was installed, but I don't think so in this case.

But as always: If possible - rebuild the machine from scratch. If you
cannot do that *monitor* the machine closely for suspect traffic. If
possible from another clean machine on the same network. 

> It's also a good practice to disconnect a suspect machine from the net 
> and do your hacking from the console if you suspect it's been burgled.  
> That way, it's not actively hosing other people while you're 
> troubleshooting the problem.

Yes.

> That is...unless you've got the skills to track the burgler back to
> their hideout.....

Which probably is just another cracked machine. The last time I did that
the tracks got lost somewhere in Malaysia.

Ralph
-- 
Ralph Angenendt......ra at br-online.de | .."Text processing has made it possible
Bayerischer Rundfunk...80300 München | ....to right-justify any idea, even one
Programmbereich.Bayern 3, Jugend und | .which cannot be justified on any other
Multimedia.........Tl:089.5900.16023 | ..........grounds." -- J. Finnegan, USC
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://lists.centos.org/pipermail/centos/attachments/20060205/146e15e9/attachment-0005.sig>