On Wed, 2007-01-03 at 20:26 -0500, Carl Hartung wrote: > On Wednesday 03 January 2007 10:27, Carl Hartung wrote: > <snipped; I'm replying to all who responded to my original post> > > Hi All, > > I'd forgotten I'd turned off sshd and apache2 immediately after the incident > and only begun firing them up when needed. There must be an unknown mechanism > affording access to the system. :-(
If you even slightly suspect some problem I highly recommend saving any data you can and doing a fresh install on this machine. Better to be safe then sorry. > > With respect to today's tests: > > First, after booting back into 10.0, 'who' was working correctly. (!?) > After seeing this, I didn't bother checking the status of /var/run/utmp > > Remote administration was still disabled in the router, it's firewall > settings > were still where I'd set them and my very long & complex 'Admin' names and > password were still intact. I'm beginning to suspect some kind of "inside > attack" is being routed through the M$ box that is sharing this connection. > > I saw nothing unusual with "last", "w" or "alias". If the [u,w]tmp file is corrupt in any way you will get faulty results when using these commands. Perhaps you fixed the problem by either zeroing out the file with "> /var/log/[u,w]tmp" or by deleting it which caused it to be recreated. -- Ken Schneider UNIX since 1989, linux since 1994, SuSE since 1998 -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
