Re: possibly compromised redhat 7.2 box

["Eric Gunnett" <eric () zoovy com>]

http://www.chkrootkit.org 

That site is a good start. then from there I like to check the /var/log directory, run dmesg and see if the port was 
ever put in listening mode. Bring over a clean ps, ls, du, df, lsof, netstat and from there you can start to get a real 
picture of the machine.

Eric Gunnett
System Administrator
Zoovy, Inc.
eric () zoovy com


> > > "Melissa McGillis" <mcgillim () cis uab edu> 05/20/04 12:17PM >>>
Hello,

I have a redhat 7.2 server that stopped accepting my ssh login. I can still
use my login at the terminal. I also noticed that the host key changed. My
only guess at this point is that the box was probably compromised. Any good
software out there to help me figure it out? Any other ideas as to what
would cause this?
Anything helps, 
Melissa 
(THIS IS IN NO WAY AFFILIATED WITH UAB. It's just the address I use for
lists.)



---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------