you missed statd which is also a likely culprit, however with this compromise it appears the kiddie didn't get in by running any script trash. if you study the history file carefully you'll see he's running synscan on port 1524 which is a very common backdoor port used by many exploits, you'll also see he's grepping for "#" which will indicate to him that the open port on 1524 has a root shell binded to it which kids often leave open when exploiting a host. this is probably how he found your system, ie already rooted by a previous intruder. -blazin ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Mar 08 2002 - 03:52:39 PST