A little hint that's helped me identify what happened before:
Use grep to look for things like "telnet" and "wget" in the httpd logs. Since it doesn't exactly look like you've been rooted, these are probably intact and available.
May be obvious, but it may also have been missed....
-Ben
On Wednesday 03 May 2006 22:37, Nick wrote:
Rick Philbrick wrote:
Hi,
Well thats telling. So do you have chkroot-kit installed? Although you know you've got to have a root-kit on there. Anyway, it may help narrow your search of the directories and the changes within.
-rickp
Well i quarantined the files and then ran rkhunter and chkrootkit and both came back ok. Not going to risk not starting over on the box but if i can't tell how they got in then I'm not stopping it happening again. It could of course have something to do with one of the webapps the box runs (forum software)...
Also i found my iptables script wasn't blocking port 80 and port 21 outbound.... school boy error.
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.