Incoming from Rick Moen: > Quoting Marcel Weber ([EMAIL PROTECTED]): > > > But what made me shudder was this: In the /tmp folder I found these files: > > > > drwx------ 2 root root 48 Aug 10 19:36 Ib2KZi > > drwx------ 2 root root 88 Jan 3 06:12 MF2oMw > > drwx------ 2 root root 48 Aug 11 16:32 S0oNze > > > > Is this a left over from an attempt to hack my system? > > Highly unlikely. Attackers know that /tmp isn't an out-of-the-way > place. Admins and other users look there all the time. Intruders tend > to hide things away in places like boring-sounding subdirectories of /dev . > > > How can I check what happened and if the attacker succeeded? > > Read the advisories from your well-tuned IDS. ;-> > http://linuxgazette.net/issue98/moen.html
Install chkrootkit (www.chkrootkit.org) and run it regularly (from cron). It's very easy to use, and chkrootkit-users is a very low volume, high S/N ratio list. BTW: (0) keeling /home/keeling/dox_ all `which netstat` `which env` -rwxr-xr-x 1 root root 86892 Nov 23 2001 /bin/netstat* -rwxr-xr-x 1 root root 10332 Jul 26 2001 /usr/bin/env* 1 Mb is *way* out of line! -- Any technology distinguishable from magic is insufficiently advanced. (*) http://www.spots.ab.ca/~keeling - -
