On Mon, 2001-12-17 at 15:50, Gregg Sperling wrote: > Surprisingly, I have had several pleasant exchanges with the individual who > runs the server. He has offered to allow me access > into his server with root access. you're kidding me. > Besides checking the standard /var/log/messages log, are there any > suggestions as to where I should check for possible breaches > in this individual's system? i'd check the integrity of the installed rpms: [jon@devotchka jon]$ for i in `rpm -qa`; do rpm -V $i; done i'd also look for recent additions in /dev (which seems to be the directory of choice for rootkits): [jon@devotchka /dev]$ ls -tla|more in fact, you could check file mod times on the whole system to be totally sure. i'd also check what ports were open on the local machine, who was currently connected, and what actual processes were responsible for those ports: [jon@devotchka /dev]$ netstat -na --inet [jon@devotchka /dev]$ lsof |grep LISTEN now the bigger problem is that someone who admins a public linux box would offer root access to a (basically) complete stranger from the interweb. you stated that he had ftp + telnet open (amongst others). RH hasn't enabled telnet by default in a while (i believe ssh has been the default since 7.0). So we're most likely looking at a box running outdated software run by an inexperienced admin. not a particularly hard target from a script kiddie pov. then again, maybe you'll find the fabled openssh2 remote exploit... hope this helps. -jon -- jonat_private || www.divisionbyzero.com gpg key: www.divisionbyzero.com/pubkey.asc think i have a virus?: www.divisionbyzero.com/pgp.html "You are in a twisty little maze of Sendmail rules, all confusing."
This archive was generated by hypermail 2b30 : Tue Dec 18 2001 - 09:36:15 PST