Security Incidents mailing list archives
RE: info
From: "Joe T." <auximini () yahoo com>
Date: Fri, 3 May 2002 15:59:30 -0700 (PDT)
Get an 'lsof' listing of processes and what programs are bound to those ports/processes. See if any trojans have been installed on the box.
nothing out of the ordinary..
One other thing you might want to do is use the find command to find any 'dot' directories. % find . -type d -name ".*" -print
just the ones i have already found
I'd also see what versions of SSHD, etc were running to figure out how the attacker might have broken in. Check SSH for the CRC/32 vulnerability. I would also see if he left telnetd running or any RPC services. Also, might want to let your friend know not to keep tripwire databases on the same machine. They should be put on a protected floppy or cdrom.
sshd, wu-ftp, telnet, and every other program that has had a major security bug in the past year (how long this box has been up) is installed. i doubt i can narrow down how the hacker got in unless he left a copy of whatever exploit he used on the system. so far i havent found one. im going to do another couple of sweeps through the box and see if i can pick up any more info. after that, im going to recommend reinstallation and a closer look at how he configures his system. thanks, __________________________________________________ Do You Yahoo!? Yahoo! Health - your guide to health and wellness http://health.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com