hi ya...
wasnt this a MS bug/attack... and if so...
why are you looking at your linux logss???
or are these the logs of your firewall ??? which shoulda kept
track of iincoming traffic to that MS server
and if you were doing some poking around...
- logs can be erased and covered up.....
utmp and wtmp ( binary files, use "last -f /var/log/wtmp" )
check your webserver logs too
when checking your logs...if you use the "replaced/trojaned"
binaries to vi, ls, cat, ps, grep your log files...
they could have put a few lines of code to hide themself...
so you wont see anything.... even if the are sitting in the
machine at the same time you're looking for them...
- always use binaries from your CDROM... not the machine
that was hacked
and....
- you'd need to check the checksum of your binaries
- you'd need to check the config files for new changes too
- you'd need to check for new directories and files you didnt install
how good you are at checking/preventing things is the "trick"...
and/or defending your box against incoming attacks
how much time you wanna spend on each detail is the other issue
c ya
alvin
On Sat, 26 May 2001, Nontakorn wrote:
> For my case....I've checked my logs (syslog, sulog, lastlog, logs in /usr,
> logs in /var, etc..) didn't find anything of suspicion. Am I overlooking
> some log file? How are other fairing in tracing the source?
>
> Sincerely yours,
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
