On Thu, 2003-11-06 at 13:21, D. R. Evans wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 6 Nov 2003 at 10:49, Jack Coates wrote: > > > based on these scans and the vger results, I don't think postfix is > > misconfigured at all; the attacker is logging in and sending those mails > > from localhost. format the drive and start over. > > > > And install something that runs from a CD and daily checks for the presence > of rootkits (like chkrootkit, for example), to stop this happening again -- > or at least so you know when it happens. > > Doc >
I recently saw something really simple and evil :-) It was a ten minute cron job that compared timestamps of a few files like /etc/password and /etc/shadow with copies of them that were placed in a hidden directory. If the compare failed, the machine would wall that you'd tripped it up with a code message -- admins would realize their mistake, crackers would know something was wrong but wouldn't know what. Sixty seconds later, shutdown -h now :-) -- Jack Coates Monkeynoodle: A Scientific Venture...
Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
