I usually watch and listen to this mailing list but this one really caught my eye.. I used to do alot of this in the military for 20yrs on nix boxes. Now I am a net engineer for a mid sized wisp. I have seen how brutal attacks take place on nix boxes. When I config a nix box the first thing I do is set the firewall up to block all ports above 1048 and only let in or out what ports are needed for the machine. My favorite ports to block are ftp,ssh and telnet. I will configure different ports for those apps if they are needed. I even block these common ports on our gateway to the network and only allow certain accounts inside the net access because they do not know how to change their ports to something uncommon. Most root kits are hard scripted for the common ports, unless the attacker is smart enough to use a port scanner try and find alternate ports but I can also block most scanners by dropping certain connection types. I have had a machine online for about 16yrs uptime with no attacks. They try but they die:) If it was easy enough for a root kit to get access to your machine then there are some definite holes in the system. Matt wrote: > > > > PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND > 23119 apache 15 0 964 556 472 S 0.7 0.0 0:03.68 atack > 23479 apache 15 0 964 556 472 S 0.7 0.0 0:01.94 atack > 22170 apache 15 0 964 560 472 S 0.3 0.0 0:05.23 atack > 22375 apache 15 0 964 560 472 S 0.3 0.0 0:04.21 atack > 22858 apache 15 0 964 560 472 S 0.3 0.0 0:02.87 atack > 22997 apache 15 0 964 560 472 S 0.3 0.0 0:04.11 atack > 22999 apache 15 0 964 560 472 S 0.3 0.0 0:02.22 atack > 23007 apache 15 0 964 560 472 S 0.3 0.0 0:03.79 atack > 23099 apache 15 0 964 556 472 S 0.3 0.0 0:02.18 atack > 23101 apache 15 0 964 556 472 S 0.3 0.0 0:02.48 atack > 23108 apache 15 0 964 556 472 S 0.3 0.0 0:03.59 atack > 23109 apache 15 0 964 556 472 S 0.3 0.0 0:02.75 atack > 23112 apache 15 0 972 504 412 S 0.3 0.0 0:04.70 atack > 23115 apache 15 0 964 556 472 S 0.3 0.0 0:03.75 atack > 23116 apache 15 0 964 556 472 S 0.3 0.0 0:02.80 atack > 23121 apache 15 0 972 504 412 S 0.3 0.0 0:03.79 atack > 23384 apache 15 0 964 556 472 S 0.3 0.0 0:01.63 atack > 23389 apache 15 0 964 556 472 S 0.3 0.0 0:03.52 atack > 23392 apache 15 0 964 556 472 S 0.3 0.0 0:01.61 atack > 23397 apache 15 0 964 556 472 S 0.3 0.0 0:01.62 atack > 23405 apache 15 0 964 556 472 S 0.3 0.0 0:03.64 atack > > When i 'ps -ef' i can see many lines as below; > > apache 24253 23378 0 10:54 ? 00:00:00 ./atack 100 > apache 24286 23378 0 10:59 ? 00:00:00 ./atack 100 > apache 24292 23378 0 11:00 ? 00:00:01 ./atack 100 > apache 24335 23378 0 11:01 ? 00:00:00 ./atack 100 > apache 24344 23378 0 11:01 ? 00:00:00 ./atack 100 > apache 24347 23378 0 11:02 ? 00:00:00 ./atack 100 > apache 24358 23378 0 11:04 ? 00:00:00 ./atack 100 > > > Hell, has my centos 5.3 box been hacked??? Help !!!!!!!!!! > > > I good tool to have on your linux box that may help, some. > > http://rkhunter.sourceforge.net/ > > http://rpmfind.net/linux/rpm2html/search.php?query=rkhunter > > After installing do. > > rkhunter --update > > rkhunter -c > > And see if it finds anything. > ------------------------------------------------------------------------ > > _______________________________________________ > CentOS mailing list > CentOS at centos.org > http://lists.centos.org/mailman/listinfo/centos >