Not sure how to do that, (look at scheduled jobs) If it was a rootkit, could have come over the wireless connection I was using, it was only running 64bit WEP, all this card will do.
G On Sunday 30 May 2004 14:53, Niels Voll wrote: > wow - that would be a little depressing, installing a brand new distro > with one of the better reputations, and already an exploited > vulnerability. So I sincerely hope, that these were false positives, due > to the fact, that the distro is so new, and maybe chkrootkit was thrown > off by that a bit. > > The user "nobody" is a legitimate id, usually bestowed with very few > privileges (e.g. no shell). I think it is used by some servers or > scheduled jobs) to kick off (sub)processes with very few privileges, > which tends to be a good thing. > > Regarding the disk activity, have you had a look at your scheduled jobs? > I have been freaked out more than once about sudden extensive disk > activity only to find out, that these were caused by scheduled jobs, > which had been part of the default install with a default time setting > for them to be run. (Log rotations, e-mailing of log extracts, etc.) > > > I'd be grateful, if you could share your eventual findings with us, > since, while I take several of the easier precautions (new system > installs only behind a firewall, open/forward only the required ports in > the firewall _after_ all patches have been applied to a new install, > don't even install telnet, etc.). But I'd like to know, if I need to > increase my own paranoia level, even with a very new and very respected > distro. > > Good luck hunting, let's hope it was a false alarm, and let us know ! > > ...Niels > > GRAHAM MONK wrote: > >SuSE 9.1 Pro, sorry shoud have given that. > > > >G > > > >----- Original Message ----- > >From: Jon Copeland <[EMAIL PROTECTED]> > >Date: Sunday, May 30, 2004 1:25 pm > >Subject: Re: [clug-talk] I think I got rootkitted > > > >>What Distro are you running? > >> > >>-j- > >> > >>GRAHAM MONK wrote: > >>>Hi All > >>> > >>>This morning while browsing I notice a lot of HD activity, > >>>i ran top and found someone called "nobody" was running find. > >>>i pulled my network connection and tried to find what was going on. > >>>I have downloaded and run chkrootkit and "top" and "find" were > >> > >>marked INFECTED. > >> > >>>I tried running the install disc and "repair system" but the > >> > >>same result with chkrootkit. > >> > >>>I am currently doing a reinstall and leaving my home partition > >> > >>untouched.> I will install chkrootkit and portsentry once install > >>is done, is there anything else I should do? > >> > >>>I will change my passwords also. > >>> > >>>Thanks for any advice > >>> > >>>Graham > >>> > >>> > >>>_______________________________________________ > >>>clug-talk mailing list > >>>[EMAIL PROTECTED] > >>>http://clug.ca/mailman/listinfo/clug-talk_clug.ca > >> > >>_______________________________________________ > >>clug-talk mailing list > >>[EMAIL PROTECTED] > >>http://clug.ca/mailman/listinfo/clug-talk_clug.ca > > > >_______________________________________________ > >clug-talk mailing list > >[EMAIL PROTECTED] > >http://clug.ca/mailman/listinfo/clug-talk_clug.ca > > _______________________________________________ > clug-talk mailing list > [EMAIL PROTECTED] > http://clug.ca/mailman/listinfo/clug-talk_clug.ca _______________________________________________ clug-talk mailing list [EMAIL PROTECTED] http://clug.ca/mailman/listinfo/clug-talk_clug.ca
