hi ya gareth run the rootkit detectors... and see if it finds anything... - audit your box... ( tons of free auditing tools ) http://www.linux-sec.net Audit & tracking/forensics sections ( search for rootkit ... easier ?? ) if they were successful...you'd see many symptoms: - alterred log files - alterred binaries - alterred config files - extra directories - extra files - extra processes running that you cannot explain - slow response than before - bounced emails to root/postmaster - blah...blah... all of those are easy to identify before its becomes a problem with a good IDS... but a properly hardened box will be even better... - they were "Testing" your rpc stuff... for old bugs... if you do NOT mount this server from other boxes... turn nfs off along with hundreds of other unused services/daemons == since you have to ask ... how can you telll... - the simple answer is install tripwire or aide or other ids and it will tell you they got in... ( which is TOOO late ) - trick: only install tripwire/aide/ids on a VIRGIN&Patched box... dont bother wasting time after its been online/[h/cr]hacked have fun alvin On Sun, 22 Jul 2001, Gareth Hastings wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Jul 17 07:47:45 somebox rpc.statd[609]: gethostbyname error for > ^X?y?^X?y?^Z?y?^Z?y?%8x%8x%8 > x%8x%8x%8x%8x%8x%8x%62716x%hn%51859x%hn\220\220\220\220\220\220\220\22 > 0\220\220\220\220\220\2 > 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 > \220\220\220\220\220\22 > 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\ > 220\220\220\220\220\220 > \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 > 20\220\220\220\220\220\ > 220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22 > 0\220\220\220\220\220\2 > 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 > \220\220\220\220\220\22 > 0\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\ > 220\220\220\220\220\220 > \220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\2 > 20\220\220\220\220\220\ > 220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\22 > 0\220\220\220\220\220\2 > 20\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 > \220\220\220\220\220\22 > 0\220\220 > > How do I know if the attempt succeded or not ? This entry is repeated > about 50 times. I checked the obvious things like hosts.allow/deny > being changed. I checked for suid root files and entries in the > inetd.conf file. Is there anything else I should look for ? > k ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sun Jul 22 2001 - 17:47:37 PDT