On Wednesday 19 September 2007, Grant wrote: > I recognize everything in 'ps -ef' I think, but I've never really used > netstat before. Under "Active Internet connections" I don't > recognize: > > tcp localhost:10030 > tcp *:snpp
Hmm, are you running postfix on this server (just a suspicion). Also, snpp is for pagers: http://en.wikipedia.org/wiki/Simple_Network_Paging_Protocol Run # netstat -anop which will show you the process owner. Hopefully, if there is something running it will show up (clever scripts can mask themselves from netstat, ps auxf, etc.). Then run lsof (check man lsof) to see if there is anything suspicious there, like another user logged in either as root or with a different name. Finally, ask your ISP to boot off a LiveCD and scan the machine with rkhunter and chrootkit. Depending on how many thousands of tickets the database had the crackers may or may have not found out about your root passwd. On the other hand, if you can't sleep at nights it is better to format and reinstall. HTH. -- Regards, Mick
signature.asc
Description: This is a digitally signed message part.
