Did you run chkrootkit? It can be found at chkrootkit.org. Did you have a previous database like say fcheck, tripwire or something similar? The RPM database can be compromised. Try loading a new ps netstat ,lsof and then check for any listening services. On Fri, 27 Apr 2001, Kyle Hofmann wrote: > Hi, > > My roommate and I run a Redhat 6.2 server. Wednesday, at about fifteen > minutes past midnight, our load average went from its usual 0.something to > nearly 30, and stayed this way for about ten minutes. By the time we got > top running, the offending process or processes had terminated. > > Since neither of us were running anything more than ssh at the time, our > initial suspicion was that someone had (probably accidentally) DoS'ed us. > However, looking at our log files showed no excessive or suspicious activity. > This led us to suspect that we may have been compromised, and that we had > experienced the automated installation or operation of a rootkit that expected > a modern, fast machine. Since our server is an old 486, this would have > caused the load average to spike. > > So we disconnected our machine from the Internet and started looking around > for evidence of a breakin. So far, we've looked for and failed to find: > > - Evidence of the Lion worm (to which we were vulnerable) > - Non-devices in /dev > - New suid or sgid programs > - "..." or ".. " directories > - Changed MD5 sums from those listed in the RPM database > - Changes to /etc/passwd, /etc/shadow, and /etc/inetd.conf > - Suspicious running processes > > This leads me to wonder if we were, in fact exploited at all. However, we're > both entirely inexperienced at forensic analysis, and so we're probably > missing something. Hence, we would like to solicit help: What other things > should we look for? And if we haven't been exploited, what could have caused > the spike in our load average? > > Thanks in advance. > > -- > Kyle R. Hofmann <khofmannat_private> > >
This archive was generated by hypermail 2b30 : Sat Apr 28 2001 - 12:07:46 PDT