Re: rpc.statd message log

[Prashant Desai <prashant_secret () yahoo com>]

dont forget to check the /dev dirs and history file
/logs many time intruder forgets to delete the history
file and installs the bins under /dev 
best luck 
prashant 
--- Devdas Bhagat <devdas () dvb homelinux org> wrote:
> On 24/04/03 12:05 -0400, Robert E. Martin wrote:
> <snip>
> > I believe that the machine has been compromised,
> but do not find any 
> > trace using cert.org recommended Intruder
> Detection Checklist. I have 
> IIRC, you use Linux. 
> What distro ( RH 6.2? ). Patch level?
> Run chrootkit, and validate checksums for binaries
> from a clean booted
> system (not booted from the possibly compromised
> disk) using an
> alternate md5sum and kernel binary.
>
> > stopped the rpc.statd service, since we don't use
> this at ALL!
> That should have been stopped as part of OS
> hardening itself.
>
> Devdas Bhagat
> > http://www.kb.cert.org/vuls/id/34043
> > Any thoughts? Anyone?
> >
> > -- 
> > Robert E Martin
> > IT Manager
> > Fishburne Military School
> > rmartin () fishburne org
> > 540.946.7726
> >
> >
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


__________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
http://search.yahoo.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards