Re: Unusual Message log contents

From: Mark Newby (markat_private)
Date: Wed May 08 2002 - 05:13:40 PDT

Next message: Mally Mclane: "Re: Publishing Nimda Logs"

Previous message: Edwards, David (JTS): "RE: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com"
In reply to: Gregory Kane: "Unusual Message log contents"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Gregory Kane wrote:
> 
> Ok - I'm not totally sure what is going on here. Does 
> anyone have a thought about this entry in my message.log 
> file?
> 

I saw this sort of stuff prior-to/during/after a Red Hat Linux 7.2 Web 
server was cracked into an used by crackers to install IRC bots, 
sniffers, trojaned servers (ftp server), etc.

I'd check for rogue files, rootkits, etc.  a good start is to run 
chkrootkit (<www.chkrootkit.org>).  there's lots of FAQs, etc on the www 
that explain the steps to go through in detecting if you've been 
compromised and how to recover.

mark

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Mally Mclane: "Re: Publishing Nimda Logs"
Previous message: Edwards, David (JTS): "RE: netbuie.exe, scorpionsearch.com and fastcounter.bcentral.com"
In reply to: Gregory Kane: "Unusual Message log contents"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed May 08 2002 - 09:29:20 PDT