[CentOS] I appear to be attacking others

Sun Feb 5 18:38:57 UTC 2006
Michael Grinnell <grinnell at american.edu>

On Feb 5, 2006, at 9:15 AM, Chris Mauritz wrote:

> John Hinton wrote:
>> James Pifer wrote:
>>
>>> On Sun, 2006-02-05 at 10:23 +0100, Ralph Angenendt wrote:
>>>
>>>> James Pifer wrote:
>>>>
>>>>> On Sun, 2006-02-05 at 10:01 +0100, Ralph Angenendt wrote:
>>>>>
>>>>>> Can you do an "ls -lah /dev/shm/..\ /"?
>>>>>>
>>>>> Yep, I get:
>>>>>     drwxr-xr-x  2 hotmail hotmail 180 Feb  6  2005 nt
>>>>>
>>>> And now please the contents of this directory ...
>>>>
>>>
>>>
>>> Contents are:
>>>
>>> # pwd
>>> /dev/shm/.. /nt
>>> # ls -l
>>> total 76
>>> -rwxr-xr-x  1 hotmail hotmail 22400 Feb  6  2005 f
>>> -rw-r--r--  1 hotmail hotmail 17266 Nov  1  2004 f.c
>>> -rw-r--r--  1 hotmail hotmail  2574 Feb  5 02:22 log
>>> -rw-r--r--  1 hotmail hotmail 16122 Jun  9  2005 pass
>>> -rw-r--r--  1 hotmail hotmail   109 Feb  6  2005 README
>>> -rwxr-xr-x  1 hotmail hotmail    64 Feb  6  2005 s
>>> -rw-r--r--  1 hotmail hotmail    59 Jun  9  2005 users
>>>
>>> James
>>>
>> You might want to do a ls -al on that directory, as I've seen  
>> hackers use hidden files or directories which don't show using  
>> just -l. Also, you might want to take a look in the usual  
>> suspects, like /tmp.. /var/tmp.. again, ls -al to see if you can  
>> find anything perhaps left for later use.
>>
>> Gee.. ain't it fun?
>
>
> Lot's of good advice.  I'd also check for rootkits.  There are a  
> couple of "rootkit checkers" available.  You just download the  
> source and compile/execute them.  I've used this one with some  
> success to de-louse a friend's game server:
>
> http://www.chkrootkit.org/
>
> It's also a good practice to disconnect a suspect machine from the  
> net and do your hacking from the console if you suspect it's been  
> burgled.  That way, it's not actively hosing other people while  
> you're troubleshooting the problem.  8-)  That is...unless you've  
> got the skills to track the burgler back to their hideout.....
>
> Cheers,
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos


Sorry for the late response, but you should also check out lsof as  
another method for finding which processes have which ports/files  
open.  It's a good way to double-check netstat, etc.  You can find it  
in the base CentOS repo.

Michael Grinnell
Network Security Administrator
The American University