> Get an 'lsof' listing of processes and what programs are bound to > those ports/processes. See if any trojans have been installed on the > box. nothing out of the ordinary.. > One other thing you might want to do is use the find command to find > any 'dot' directories. > % find . -type d -name ".*" -print just the ones i have already found > I'd also see what versions of SSHD, etc were running to figure out > how the attacker might have broken in. Check SSH for the CRC/32 > vulnerability. I would also see if he left telnetd running or any RPC > services. Also, might want to let your friend know not to keep > tripwire databases on the same machine. They should be put on a > protected floppy or cdrom. sshd, wu-ftp, telnet, and every other program that has had a major security bug in the past year (how long this box has been up) is installed. i doubt i can narrow down how the hacker got in unless he left a copy of whatever exploit he used on the system. so far i havent found one. im going to do another couple of sweeps through the box and see if i can pick up any more info. after that, im going to recommend reinstallation and a closer look at how he configures his system. thanks, __________________________________________________ Do You Yahoo!? Yahoo! Health - your guide to health and wellness http://health.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon May 06 2002 - 11:53:21 PDT