LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-25-2004, 06:48 PM   #16
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57

You can do a search of the file system for files owned by those users with:
find / -user <username>

Running the rpm verification command should let you know which packages (including init) have been modified.

However, it's pretty safe to say that the system has been compromised and will need to be completely reformated and re-installed from trusted media (not from a backup).
 
Old 08-26-2004, 01:00 AM   #17
masand
Guru
 
Registered: May 2003
Location: INDIA
Distribution: Ubuntu, Solaris,CentOS
Posts: 5,522

Rep: Reputation: 58
hi

come on get working with tripwire fast
this will help in ur problems, or you need to kep loooking out for these users logged in more often from the comand u used
who -u with both utmp and wtmp.utmp will tell u about current users, wtmp contains the log,

regards
 
Old 08-26-2004, 06:52 AM   #18
chrism01
Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.5, Centos 5.10
Posts: 16,289

Rep: Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034Reputation: 2034
Capt_Caveman is correct. You need to do a full install from scratch, then add in Tripwire (which is on the RH9 CD 3), set up your firewall (iptables) carefully.
Then test aginst it using nmap (also on RH9 CD 2). Then download www.chkrootkit.org and set it to run via cron. Tripwire should have installed in cron automatically.
Check which services are running via menu: System Settings | Server Settings | Services and turn off all the ones you don't need. Do this immediately after the install.
Check if anything is needed running under xinetd.
Always use ssh/scp/sftp, never telnet, ftp, r* cmds.
HTH
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
calling all hackers evilmonk Linux - Software 4 03-12-2005 10:13 PM
Who are hackers? cyto General 10 12-24-2004 11:17 AM
C++ hackers anyone? Kane635 Programming 2 10-04-2004 07:37 PM
According to this we are all hackers bubba169 General 10 05-03-2004 10:59 PM
any X hackers? deepsix Programming 0 09-13-2003 11:22 PM


All times are GMT -5. The time now is 06:18 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration