[Wftl-lug] lastlog and syslogd weirdness
jay
jay at musubi.org
Mon Mar 12 10:03:58 PST 2001
i didn't catch the beginning of this thread... does he think he's been
hacked?
things to do:
-check the timestamps on the password file.
-check the password file for new accounts.
-if you have lsof installed: lsof -i TCP:1-60000
-check your inetd.conf for weird entries
-look for suid root files.
find / -type f \( -perm -04000 -o -perm -02000 \)
-look for files with no owners or no groups
find / -nouser -o -nogroup -print
-download the coroner's toolkit and have a go:
http://www.porcupine.org/forensics/tct.html
uh, there's more things you can do, but i'm sick and i sort of have a
hangover, so i'm not thinking too well. i think i need some beer.
=jay
On Mon, 12 Mar 2001, Warren Togami wrote:
> Uh oh. Could that mean someone is using you as spam relay?
>
> ----- Original Message -----
> From: "jay" <jay at musubi.org>
> To: "Linux & Unix Advocates & Users" <luau at list.luau.hi.net>
> Sent: Monday, March 12, 2001 7:32 AM
> Subject: [luau] RE: [Wftl-lug] lastlog and syslogd weirdness
>
>
> > Interesting ports on a24b31n75client13.hawaii.rr.com (24.31.75.13):
> > (Ports scanned but not shown below are in state: filtered)
> > Port State Service
> > 25/tcp open smtp
> > 80/tcp open http
> >
> > TCP Sequence Prediction: Class=random positive increments
> > Difficulty=2767344 (Good luck!)
> >
> > Sequence numbers: AF26824B AEB0D9D5 AEDA7808 AF48FC22 AEBD934B AEE13CD5
> > Remote OS guesses: Linux 2.1.122 - 2.2.14, Linux kernel 2.2.13
> >
> >
> > On Mon, 12 Mar 2001, Warren Togami wrote:
> >
> > > Oops. I don't have nmap installed right now and I have to go to school.
> > > Could somebody else please scan it?
> > >
> > > ----- Original Message -----
> > > From: "Nelson Garcia" <garcian002 at hawaii.rr.com>
> > > To: "Linux & Unix Advocates & Users" <luau at list.luau.hi.net>
> > > Sent: Monday, March 12, 2001 6:55 AM
> > > Subject: [luau] RE: [Wftl-lug] lastlog and syslogd weirdness
> > >
> > >
> > > > Thanks Warren and Marcel, my current IP is 24.31.75.13. It's
> Roadrunner,
> > > so
> > > > it is dynamic. You might want to let me know when/if you are going to
> > > scan
> > > > to make sure that I still have that IP and you don't scan the wrong
> > > person.
> > > >
> > > > I think the disk problem is a more likely possibility, I'll check it
> out.
> > > > I'm not running a DNS server on that machine.
> > > >
> > > > Nelson
> > >
> > >
> > >
> > > ---
> > > You are currently subscribed to luau as: jay at musubi.org
> > > To unsubscribe send a blank email to $subst('Email.Unsub')
> > >
> >
> >
> > ---
> > You are currently subscribed to luau as: warren at togami.com
> > To unsubscribe send a blank email to $subst('Email.Unsub')
> >
> >
> >
>
>
> ---
> You are currently subscribed to luau as: jay at musubi.org
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
More information about the LUAU
mailing list