Originally, I started having problems on all of my machines and I figured
out it was because of poor performance on my dns server. Named wasn't
responding to lookups, so I tried restarting it, but that didn't work. It
kept telling me the port was already in use. I tried restarting inet and
other network services, but finally defaulted to just rebooting the
machine. After reboot, it took forever for me to get back in. When I did,
I discovered the system load was over 9. I checked the process list and
discovered all kinds of extra things running. Several compiles and several
scans for bind exploits were in progress. It looks like my machine was
taken over to attack other machines. I did more exploring and discovered
other utilities installed and many of the standard system utilities had
been replaced.
I am definitely going to rebuild this machine and a couple of others to
make sure everything is ok. In the process, I'm hoping there's a way I can
trace where the hacker is coming from and attempt catching them. Is
tcpdump the only tool I can use for this?
-Ed
At 09:35 AM 2/16/2001 -0700, Frank Carreiro wrote:
>do the following...
>
>ps aux
>
>
>see what processes they are running. If you see some shell scripts
>running (called hackeda, hackb) stuff like that then it's VERY likely you
>were hit by the ramen worm. I would recommend you pull the plug and
>consider if there is ANY data you really need on the system. If not wipe
>it clean and reinstall.
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
