On 5/11/05, Jim Beard <[EMAIL PROTECTED]> wrote: > the bootP tar ball is an irc bot. The irc-bot was connected to an irc > server in finland.
Most probably the control channel. > > All the time stamps on these files / directories indicate that this > > all occurred on May 9th. > > don't assume that that was the only compromise, especially if the system shared passwords/uids or had any kind of trust relationship with other machines on your network. > > I guess I should contact the university in romania that was used to > > snag the psybnc app, and netfirms, to let them know that their systems > > have been compromised as well... > > > > Any other advice? > > Change keys and passwords, revoke any certificates for which the key was available on the machine. Check the rest of your network. use mtree or or something similar to compare the hashes of system binaries. (http://md5deep.sourceforge.net/ can check external hash sources which can be effective for binary distributions like RedHat) also do a few broad spectrum sweeps of your network traffic using ethereal or ntop and check out anything weird, since the fact that one of your machines was compromised raises the risk for the rest of your network. Make sure you get enough sleep, since lack of sleep will affect your judgment ;-) -- http://Zoneverte.org -- information explained Do you know what your IT infrastructure does? _______________________________________________ EUGLUG mailing list [email protected] http://www.euglug.org/mailman/listinfo/euglug
