I am now, and also slapping a firewall box before it to filter traffic David Smulsky [EMAIL PROTECTED] www.thehostworks.com ----- Original Message ----- From: "Steve Werby" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, December 16, 2002 10:35 AM Subject: Re: [cobalt-security] Compromised?
"David Smulsky" <[EMAIL PROTECTED]> wrote: > I have a Raq550, and for no reason as far as I can tell, my mrtg daemons > stoped this last friday at night, and this morning when I realized it, I ran > chkroot, everything came up clean EXCEPT /root/.bash_history was zero > bytes.. > > Is there any possiable way raq's do this to themselfs, our should I be > seriouly looking for a hacker, I cant seem to find a trace. Unless you've made changes to bash's behavior from that on a stock 550 ~root/.bash_history doesn't get cleared out. So if the file is chmod 600, owned by root:root like it should be that's likely the result of a rootkit or manual command by an intruder to cover his/her tracks. Unless of course you've never logged in via the shell as root and executed a command. If it was my box or a client's I'd definitely investigate. -- Steve Werby President, Befriend Internet Services LLC http://www.befriend.com/ _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
