Incoming from GRAHAM MONK: > > This morning while browsing I notice a lot of HD activity, > i ran top and found someone called "nobody" was running find.
nobody is a common default user. cron jobs often su to nobody to do things, like run find or updatedb (for the locate database). > i pulled my network connection and tried to find what was going on. > I have downloaded and run chkrootkit and "top" and "find" were > marked INFECTED. That is bad news, though chkrootkit does tend to err on the side of false positives. You might attempt to compare those binaries against your install media. However, you may be better off re-installing just to be sure. > I will install chkrootkit and portsentry once install is done, is > there anything else I should do? I will change my passwords also. Tripwire? Best would be locking down the system at the basic level. Don't run services/daemons you don't have to. Comment out everything in (x)inetd.conf that you don't really need. Replace complex, potential problem daemons with sufficient, secure alternatives (DNS: maradns caching server; SMTP: ssmtp; ...). -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - - _______________________________________________ clug-talk mailing list [EMAIL PROTECTED] http://clug.ca/mailman/listinfo/clug-talk_clug.ca
