You might want to get a copy of chkrootkit and run against the machine. If you have been rooted, it might detect something. If it comes up clean, it's no guarantee, but you can breathe a little easier. Do some of the other things like check for open ports. You may want to get a bootable Linux disk or maybe Knoppix on CD and boot and then mount your fs to check it out. In all honesty, as someone has said, I would run chkrootkit, check for open ports, run lsof from a booted floppy, then wait for this guys evidence before I got too in depth.
<<JAV>> ---------- Original Message ----------- From: Bill Tangren <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Sent: Tue, 01 Jul 2003 13:35:08 -0400 Subject: Re: Help with possible hacking of a VirtualHost > MKlinke wrote: > > On Tuesday 01 July 2003 15:45, Bill Tangren wrote: > > > >>I have a perplexing problem. I received an email this morning from > >>some one who states that he was surfing my web site site1.com, when > >>he received a portscan attack from site2.com. However, site2.com is a > >>VirtualHost that is aliased to site1.com. This person told us because > >>he said we might have been hacked. I immediately changed the root > >>password. > >> > >>Could someone tell me how this could have happened? If you do a > >>lookup on site2.com, and then do a reverse lookup on that IP number, > >>you see site1.com, not site2.com. > >> > >>If I have been hacked, what should I look at? I don't see any obvious > >>evidence in the logs, but I'm not sure I would. > >> > >>TIA, > >> > >>Bill Tangren > > > > > > Did this person send along any logs showing the scan packets or offer > > any kind of detail as to what he meant by "portscan?" > > > > Regards, Mike Klinke > > > > > > I requested logs from his firewall, but have not heard back. This is > wierd as the machine in question is a server only, and I don't have > telnet (server or client) on it. The few who have accounts have to > use ssh (protocol 2 only) to get access. Also, all packages are up > to date, and I am behind a firewall (which I don't maintain). Wierd. > > Bill > > -- > redhat-list mailing list > unsubscribe mailto:[EMAIL PROTECTED] > https://www.redhat.com/mailman/listinfo/redhat-list ------- End of Original Message ------- -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
