RE: [SLUG] OK it's my faul - Help I've been hacked

From: Miller, Matt (Matt.Miller@expanets.com)
Date: Tue Aug 28 2001 - 09:15:54 EDT


>> Is there any way to find out process is creating these zombies?

# ps axf|grep XXX <--where XXX = process id

>> just never had them before the attack. Anyway they seem to be reporducing
about every 2 mins. So I can get rid >> of them? Also how do you check a
port with telnet. Some of the ones I checked
>> timed out and gave me a message about the type of port it was. But one of
the ports is "listening" and it won't >> timeout or give me back any
information.

Check for unusual crontab entries in /var/spool/cron/crontabs.
Check /etc/inetd.conf (or xinetd.conf in Red Hat 7) for any unusual
services. Compare the service names to entries in /etc/services for port
information. comment out any unknown services and do a " # killall -HUP
inetd ".
Check for any unusual daemons set to respawn in your /etc/inittab.

Compare " # ls -d /proc[0-9]* " to to the output of a ps command. Note any
differences.
Compare " # netstat -a " to a nmap query like " # nmap -p 1-65535 localhost
". Again look for any unusual or suspect open ports.
Check your /etc/passwd for any extraneous accounts not created by you or
your distro. Do a " # last username " to any unusual accounts to find out
last login.
Run " # grep "uid=0" /var/log/* " for all recent activity by root. Look for
any suspicious activity.

Hope this helps.

Matt



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:09:29 EDT