RE: info

["Joe T." <auximini () yahoo com>]

> Get an 'lsof' listing of processes and what programs are bound to
> those ports/processes. See if any trojans have been installed on the
> box.

nothing out of the ordinary..

> One other thing you might want to do is use the find command to find
> any 'dot' directories.
> % find . -type d -name ".*" -print 

just the ones i have already found
 
> I'd also see what versions of SSHD, etc were running to figure out
> how the attacker might have broken in. Check SSH for the CRC/32
> vulnerability. I would also see if he left telnetd running or any RPC
> services. Also, might want to let your friend know not to keep
> tripwire databases on the same machine. They should be put on a
> protected floppy or cdrom.

sshd, wu-ftp, telnet, and every other program that has had a major security bug in the
past year (how long this box has been up) is installed. i doubt i can narrow down how the
hacker got in unless he left a copy of whatever exploit he used on the system. so far i
havent found one.

im going to do another couple of sweeps through the box and see if i can pick up any more
info. after that, im going to recommend reinstallation and a closer look at how he
configures his system.

thanks,

__________________________________________________
Do You Yahoo!?
Yahoo! Health - your guide to health and wellness
http://health.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com