[CentOS] I appear to be attacking others
Michael Grinnell
grinnell at american.edu
Sun Feb 5 18:38:57 UTC 2006
On Feb 5, 2006, at 9:15 AM, Chris Mauritz wrote:
> John Hinton wrote:
>> James Pifer wrote:
>>
>>> On Sun, 2006-02-05 at 10:23 +0100, Ralph Angenendt wrote:
>>>
>>>> James Pifer wrote:
>>>>
>>>>> On Sun, 2006-02-05 at 10:01 +0100, Ralph Angenendt wrote:
>>>>>
>>>>>> Can you do an "ls -lah /dev/shm/..\ /"?
>>>>>>
>>>>> Yep, I get:
>>>>> drwxr-xr-x 2 hotmail hotmail 180 Feb 6 2005 nt
>>>>>
>>>> And now please the contents of this directory ...
>>>>
>>>
>>>
>>> Contents are:
>>>
>>> # pwd
>>> /dev/shm/.. /nt
>>> # ls -l
>>> total 76
>>> -rwxr-xr-x 1 hotmail hotmail 22400 Feb 6 2005 f
>>> -rw-r--r-- 1 hotmail hotmail 17266 Nov 1 2004 f.c
>>> -rw-r--r-- 1 hotmail hotmail 2574 Feb 5 02:22 log
>>> -rw-r--r-- 1 hotmail hotmail 16122 Jun 9 2005 pass
>>> -rw-r--r-- 1 hotmail hotmail 109 Feb 6 2005 README
>>> -rwxr-xr-x 1 hotmail hotmail 64 Feb 6 2005 s
>>> -rw-r--r-- 1 hotmail hotmail 59 Jun 9 2005 users
>>>
>>> James
>>>
>> You might want to do a ls -al on that directory, as I've seen
>> hackers use hidden files or directories which don't show using
>> just -l. Also, you might want to take a look in the usual
>> suspects, like /tmp.. /var/tmp.. again, ls -al to see if you can
>> find anything perhaps left for later use.
>>
>> Gee.. ain't it fun?
>
>
> Lot's of good advice. I'd also check for rootkits. There are a
> couple of "rootkit checkers" available. You just download the
> source and compile/execute them. I've used this one with some
> success to de-louse a friend's game server:
>
> http://www.chkrootkit.org/
>
> It's also a good practice to disconnect a suspect machine from the
> net and do your hacking from the console if you suspect it's been
> burgled. That way, it's not actively hosing other people while
> you're troubleshooting the problem. 8-) That is...unless you've
> got the skills to track the burgler back to their hideout.....
>
> Cheers,
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
Sorry for the late response, but you should also check out lsof as
another method for finding which processes have which ports/files
open. It's a good way to double-check netstat, etc. You can find it
in the base CentOS repo.
Michael Grinnell
Network Security Administrator
The American University
More information about the CentOS
mailing list