Quote:
Originally Posted by vt88288
Here is the log from the output. It doesn't show much though...
|
Sorry for the late reply. Indeed it does not show much. Are you sure you ran the commands as root user? The only process details are they run as root and each have two file descriptors (one for root directory and one for current working directory) both of which are "/". Since the commands run as root ideally you should bring the machine down and operate on the (read-only!) corpse booting a Live CD like the RHEL installer CD, HELIX or KNOPPIX but if this is a remote you at least should
- save output '(w; echo; who; echo last; /bin/netstat -antupe; echo; /usr/sbin/lsof -Pwln; echo; /bin/ps axfwwwe)|tee /var/tmp/log1.txt' off site and proceed to
- shut down all net-facing services (excluding SSH) and
- other non-critical daemons (atd, cron) and
- raise the firewall to exclude all traffic except for your management IP or range in an attempt to stabilize the situation. After that
- copy all logs, including logrotated ones, to a physically different workstation and run them, with the --archives --range All settings, through 'logwatch' in an attempt to find quick clues.
Also have a look at commands from the
CERT Intruder Detection Checklist as it never hurts to perform those.