From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1IY5Au-0003We-Fl for garchives@archives.gentoo.org; Wed, 19 Sep 2007 19:25:28 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.14.0/8.14.0) with SMTP id l8JJGN5Z009940; Wed, 19 Sep 2007 19:16:24 GMT Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.182]) by robin.gentoo.org (8.14.0/8.14.0) with ESMTP id l8JJBxC7005116 for ; Wed, 19 Sep 2007 19:11:59 GMT Received: by py-out-1112.google.com with SMTP id u77so624582pyb for ; Wed, 19 Sep 2007 12:11:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=hOH5WzCN5sNUsQKo5IuWZzUrY1gc3bQFW2us6yHmZwE=; b=Py3QjOAX2zCm2mRPNsmebTbVGPCfkuNfyte7xfxmzAIdkfCDacOKPq/Y8u9pgYAv+jt7pbFkplXLoD4OC40nJYXa3gFxaUY3xY9USqR4jf1sAxI3O7qeeH5nE1ia8c+Tcamo/h7KADRRp2CVZc4DwbykfPggALjNgsAgc4EhHoE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=RDv3doboSFznzHRHh1Yn43sDRcyICkWscPAMnU6IG5YbltdRVT294B+HgXyhAL5f/q5YJS17xF7ZPyiTj1THk7UVRsGII5wni3G9EWG/5fBh2kZtj6NfQjVeA/TPJ2302Y1ulw/hNacYsggxUXwIaCSvJzB8C1O5OiFOfyj/bvc= Received: by 10.35.115.18 with SMTP id s18mr1171708pym.1190229118197; Wed, 19 Sep 2007 12:11:58 -0700 (PDT) Received: by 10.35.35.11 with HTTP; Wed, 19 Sep 2007 12:11:58 -0700 (PDT) Message-ID: <64e8d2f20709191211y39fb1d34u27bfaf7be6dd92b9@mail.gmail.com> Date: Wed, 19 Sep 2007 15:11:58 -0400 From: "Ryan Sims" To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] Hacked by association? In-Reply-To: <49bf44f10709191136u7157bceet52b7b5b06ec9d6ac@mail.gmail.com> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <49bf44f10709191109x58494aa3n3182cea59553d510@mail.gmail.com> <20070919131853.5f817b31@pascal.spore.ath.cx> <49bf44f10709191136u7157bceet52b7b5b06ec9d6ac@mail.gmail.com> X-Archives-Salt: 48c8a052-d049-49d9-8189-ba432583f738 X-Archives-Hash: 49a697cac96a473ac57de7e86261c579 On 9/19/07, Grant wrote: > > > Last night my host sent out a message that their database had been > > > compromised. I contacted them this morning and it turns out that all > > > of their trouble tickets were exposed. I checked my records and > > > (stupidly) I had included my root password in an email to them about a > > > year ago. I (stupidly) hadn't changed the password since. I've > > > changed it now and rebooted the system, but what do you think? Do I > > > need to start this thing over? > > > > > > - Grant > > > > I think you should take a look at the programs that > > are running, and netstat -l, and see if anything is fishy. > > I recognize everything in 'ps -ef' I think, but I've never really used > netstat before. Under "Active Internet connections" I don't > recognize: > > tcp localhost:10030 > tcp *:snpp > > I don't recognize most of the paths under UNIX domain sockets. > Anything particular I should look for? Try using the -p option to netstat to get the PID of those two connections, see if its anything suspicious -- Ryan W Sims -- gentoo-user@gentoo.org mailing list