On 2007-02-11, Chris Nolan <[EMAIL PROTECTED]> wrote:
> A long time ago when a LAMP box of mine got hacked.. they installed a
> program in /tmp/<random characters> that would connect to IRC
> servers. Basicly they made my box a bot. The way I found it was I
> saw outgoing IRC connections when I was in netstat looking for
> something else.
>
> They got me thorugh and expolit in awstats which I no longer run.
> The only way I was sure that I got rid of the hack was I wiped and
> reloaded the machine from scratch.
>
> Long of it is.. check for odd processes as well.
A good rootkit will install a "ps" that won't show the 'bot
processes. The one time a machine of mine got hacked, netstat
still worked, but I don't know why a hacked netstat couldn't be
installed as well.
Looking through /proc/<pid> is probably still reliable.
--
Grant Edwards grante Yow! I am deeply CONCERNED
at and I want something GOOD
visi.com for BREAKFAST!
--
[email protected] mailing list
