Good ideas, but remember that files on a hacked system are always suspect; for
example, several exploits will run extra copies of inetd, with their own copy of
inetd.conf stashed someplace strange like under /tmp, /var, or /dev.
/etc/passwd is _DEFINITELY_ a good call.
netstat is a likely target for rewriting with a root kit. Be wary of the output
from any binary on a compromised machine.
And in any case, I'd want to be sure that I've been hacked before panicking;
there are lots of reasons why network services stop working. Log files are your
friends. ;)
-m
Statux wrote:
>
> /etc/inetd.conf for one, to see if there are any strange entries
>
> /etc/passwd for funky stuff
>
> also doing 'netstat -a' to see which ports are listening that maybe
> shouldn't be.. but usually checking inetd.conf will fix most of this.
>
> That's my 2 cents
>
> On Tue, 5 Dec 2000, Scott Skrogstad wrote:
>
> > I might have been hacked but I am not sure. I have two servers that I
> > have been able to ftp into now all of a sudden I connect give it my user
> > name and password and it says invalid password and drops me. I can turn
> > around and telnet in just fine. I thought it was a problem only on one
> > server and now I find it has just happen to a server that I have always
> > been able to ftp into.
> >
> > What the heck to I check?
> >
> > Scott Skrogstad
> > Computer Integration Inc,
> > [EMAIL PROTECTED]
> > 800-522-3475 Phone
> >
> >
> >
> > _______________________________________________
> > Redhat-list mailing list
> > [EMAIL PROTECTED]
> > https://listman.redhat.com/mailman/listinfo/redhat-list
> >
>
> --
> -Statux
>
> _______________________________________________
> Redhat-list mailing list
> [EMAIL PROTECTED]
> https://listman.redhat.com/mailman/listinfo/redhat-list
--
Michael Jinks, IB // Technical Entity // Saecos Corporation
"No one speaks English and everything's broken." -- T. Waits
"Tom Waits would have made a decent sysadmin." -- M. Jinks
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
