On 2007-02-11, Chris Nolan <[EMAIL PROTECTED]> wrote: > A long time ago when a LAMP box of mine got hacked.. they installed a > program in /tmp/<random characters> that would connect to IRC > servers. Basicly they made my box a bot. The way I found it was I > saw outgoing IRC connections when I was in netstat looking for > something else. > > They got me thorugh and expolit in awstats which I no longer run. > The only way I was sure that I got rid of the hack was I wiped and > reloaded the machine from scratch. > > Long of it is.. check for odd processes as well.
A good rootkit will install a "ps" that won't show the 'bot processes. The one time a machine of mine got hacked, netstat still worked, but I don't know why a hacked netstat couldn't be installed as well. Looking through /proc/<pid> is probably still reliable. -- Grant Edwards grante Yow! I am deeply CONCERNED at and I want something GOOD visi.com for BREAKFAST! -- gentoo-user@gentoo.org mailing list