On 13 Nov 2002, Gilad Ben-Yossef wrote: > On Wed, 2002-11-13 at 18:18, Ben-Nes Michael wrote: > > > I noticed my web server is extremely busy so I ran 'top' and sow 4 tar > > process where running in the background under 'nobody' > > > > I killed them and start to look around in my logs but vile :( > > > > any ideas ? ( its not cron ) > > Yes - congratulations! your box has most likely been rooted. > > Your log files have been edited. Your 'ps', 'netstat' 'login', 'less' > and zillion other binaries have been replaced with trojaned copies > programed to not show you exactly that which you are looking for. > > Your best bet is to disconnect the computer from the network, boot using > a floppy and take whatever *data* files you might need. *DO NOT* copy or > run any executable. Format HD and reinstall OS, and make sure to apply > all the latest patches etc...
hold your horses.... before jumping to such a conclusion - one should verify that indeed their system was broken into. by killing those processes - michael lost invaluabale information - e.g. what files were handled by these tar commands - which process was their parent process, etc. however, if there was a break-in, one could find it e.g. by looking for system binaries whose checksum is different then that of a 'safe' system. or checking last update times (ls -c, not just ls) on various system files. and then doing some thinking... too many times i had situations that alerted me to think "oh my god, someone broke into my system" - when some checking showed there was no break-in - some application broke, or some other valid user with valid 'root' access made changes to the system and did not tell me about them, etc. ofcourse, the matter should not be overlooked - but also not automatically assumed to be a 'break-in' just by using circumstential evidence. -- guy "For world domination - press 1, or dial 0, and please hold, for the creator." -- nob o. dy ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
