On Tue, 9 Oct 2001, gabriel wrote: > k > i've been going crazy > i think someone's been hacking into my webserver > but i don't know how to be sure > > typing "last" at the command line returns a list of past logins > and there's no one on there but me. > but also on that list is the following line: > > reboot system boot 2.4.4-4GB [date] [time] (01:20) > > and i didn't reboot my machine at that time. > my messages.log file is cleared to that date > ie, i have no entries from before october 9th @ 11:49 > the time this "reboot" happened > > does anyone know what's going on? > any suggestions? > > i have the following installed: > redhat 7.1 > bind 9 (came with 7.1) > proftpd (downloaded/installed) > apache 1.3.20 (downloaded/installed)
rpm -Va > /root/amIhacked ; less /root/amIhacked Look for anything in a 'bin' or 'sbin' directory, especially if it's size or md5sum has been changed. Not 100% foolproof, but a quick 10 minute check. -- Chris Kloiber, RHCE Enterprise Support - Red Hat, Inc. [root@earth root]# rm -rf /bin/laden _______________________________________________ Seawolf-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/seawolf-list
