need help with root hack 1049

Don't trust your box anymore. Apparantly some program has been installed to take the place of bash. Hard to tell from here which version you are using yourself right now. Easy to guess the new Bash does more than handle your keystrokes for you....

Your (his) bashhistory stops there, simply because a new bash has taken over. buttUME the worst!

Was testuser a user you created before? What do your firewall rules-policies look like ? (which) Users allowed to SSh to your machine from remote locations? What services do you have running at opened ports?

need help with root hack 1050
Schraalhans Keukenmeester ..snip.. Yeah, I'm going to rebuild the box. =Think Slackware is any more secure out-of-the-box? FC4? To be honest, I have...

Don't throw the 'evidence' away!. save it in an archive on a cdrom or diskette and keep that for later analysis. Be glad you FOUND the evidence, many hacked boxen are only discovered as such much later. Block the user, kill the WAN connection.

Maybe you can try nmap to see what ports are open on your box to the outside world. If you want me or someone else to have a look what ports are open, you could pm someone, or better, use an online service to have your pc scanned. Better still (as long as you are sure no other hosts on your LAN are affected), run nmap on those to see what services-ports your compromised box advertises through the firewall.

chkrootkit and rkhunter (both available as yum-able rpms I believe) can help spot rootkits on your box.

NIC problems in FC5 upgrade
Michael Heiming Spescious hyperbole. Cute. =) You were born with all the knowledge in the world, weren't you, and never have had any problems with anything, have you...

New setup is advisable, if not mandatory. Someone installing his own bash surely isn't doing that just to see if he can...

Next install, make sure you use tripwire or AIDE or similar to make a checksum database of all the relevant stuff on your machine. That way you at least can easily detect which programs-files have been affected after a break-in. Be sure to keep the database up-to-date and stored somewhere safe (i.e. write-once media or external device, floppies, etc etc.)

HTH Sh.

List | Previous | Next

need help with root hack 1050

Linux groups from Newsgroups

The #1 Usenet Provider on the Internet

Replace one version of Linux with another 1048

PLEX86 x86- Virtual Machine (VM) Program


	Plex86 \| CVS \| Mailing List \| Download \| Linux \| Newsgroups

		need help with root hack 1049 Don't trust your box anymore. Apparantly some program has been installed to take the place of bash. Hard to tell from here which version you are using yourself right now. Easy to guess the new Bash does more than handle your keystrokes for you.... Your (his) bashhistory stops there, simply because a new bash has taken over. buttUME the worst! Was testuser a user you created before? What do your firewall rules-policies look like ? (which) Users allowed to SSh to your machine from remote locations? What services do you have running at opened ports? need help with root hack 1050 Schraalhans Keukenmeester ..snip.. Yeah, I'm going to rebuild the box. =Think Slackware is any more secure out-of-the-box? FC4? To be honest, I have... Don't throw the 'evidence' away!. save it in an archive on a cdrom or diskette and keep that for later analysis. Be glad you FOUND the evidence, many hacked boxen are only discovered as such much later. Block the user, kill the WAN connection. Maybe you can try nmap to see what ports are open on your box to the outside world. If you want me or someone else to have a look what ports are open, you could pm someone, or better, use an online service to have your pc scanned. Better still (as long as you are sure no other hosts on your LAN are affected), run nmap on those to see what services-ports your compromised box advertises through the firewall. chkrootkit and rkhunter (both available as yum-able rpms I believe) can help spot rootkits on your box. NIC problems in FC5 upgrade Michael Heiming Spescious hyperbole. Cute. =) You were born with all the knowledge in the world, weren't you, and never have had any problems with anything, have you... New setup is advisable, if not mandatory. Someone installing his own bash surely isn't doing that just to see if he can... Next install, make sure you use tripwire or AIDE or similar to make a checksum database of all the relevant stuff on your machine. That way you at least can easily detect which programs-files have been affected after a break-in. Be sure to keep the database up-to-date and stored somewhere safe (i.e. write-once media or external device, floppies, etc etc.) HTH Sh. List \| Previous \| Next



		need help with root hack 1050 Linux groups from Newsgroups The #1 Usenet Provider on the Internet Replace one version of Linux with another 1048