| Sean Finney on Mon, 15 Jul 2002 05:30:08 +0200 |
|
On Sun, Jul 14, 2002 at 03:35:21PM -0400, Jesse P Schultz wrote: > Check for strange entrys in xinetd.conf or inetd.conf (depending on your > flavor). Thats one place that some worms or hackers set up listeners. > > Also, try telnet to that port and see what you get. If you get a shell > without need of a password you have been hacked. > the first thing i'd do depends on what you're using this box for. if it's just a workstation, i'd put it behind a packet-logging firewall, and crank up the logs for incoming connections. if you find someone logging in to your box, a little wall message should scare them off, and you'll know where they came from to boot. if you are hacked, you could also a) just re-install from scratch, and/or b) report the hacker to their isp. i think neither of those would be nearly as gratifying though :) > | Am I hacked? that certainly is the question... > Also, if you are hacked you may have a trojanized netstat and ps (among > others) so try running those from a floppy. what i'd be more concerned with is a trojanized libc library, or trojan lkm. i've never actully seen the latter done, but fhe former is trivial to implement, and rather pervasive to discover. i'd recommend getting on another machine, and re-compiling your shell-utils, base-utils, et cetera packages as static binaries, and then use those to investigate. i might have missed--what distro/kernel do you use? are you up to date on the latest ssh/dns/other server packages? --sean Attachment:
pgpahrUZrPdJH.pgp
|
|