From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org)
	by nuthatch.gentoo.org with esmtp (Exim 4.62)
	(envelope-from <gentoo-user+bounces-59745-garchives=archives.gentoo.org@gentoo.org>)
	id 1HG65C-00031I-Ct
	for garchives@archives.gentoo.org; Sun, 11 Feb 2007 04:12:58 +0000
Received: from robin.gentoo.org (localhost [127.0.0.1])
	by robin.gentoo.org (8.14.0/8.14.0) with SMTP id l1B4B5O4016881;
	Sun, 11 Feb 2007 04:11:05 GMT
Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.224])
	by robin.gentoo.org (8.14.0/8.14.0) with ESMTP id l1B46ba9011546
	for <gentoo-user@lists.gentoo.org>; Sun, 11 Feb 2007 04:06:37 GMT
Received: by wx-out-0506.google.com with SMTP id i30so2088959wxd
        for <gentoo-user@lists.gentoo.org>; Sat, 10 Feb 2007 20:06:37 -0800 (PST)
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=beta;
        h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references;
        b=ExE3ZWTLFNTngv43+ZYCZsR6/Y796+D1dmD297tRCtzfWsTt65QR1JjhwTHex/QZGtyQcKsrshlLeRp0Mz1hpqfSntqAcPRvVGC4/8K7j/2JTlVPF1aHogb6u2q1ClUi8ELlP6t8uvK/yq3jZoYUSi6ae4m7z8CnguHOWGtwkms=
Received: by 10.70.35.1 with SMTP id i1mr20953738wxi.1171166796843;
        Sat, 10 Feb 2007 20:06:36 -0800 (PST)
Received: by 10.70.37.8 with HTTP; Sat, 10 Feb 2007 20:06:35 -0800 (PST)
Message-ID: <8d634f4f0702102006w78f419acp14ddc64a8652693d@mail.gmail.com>
Date: Sat, 10 Feb 2007 21:06:36 -0700
From: "Chris Nolan" <lostpkts@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Did I just get hacked???
In-Reply-To: <1171165124.381.9.camel@blackwidow.nbk>
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
References: <49bf44f10702101827k199bf270yfb65ed1f4f5195e0@mail.gmail.com>
	 <1171165124.381.9.camel@blackwidow.nbk>
X-Archives-Salt: e6c63d49-dafe-4e86-a327-9e576a5375bf
X-Archives-Hash: d5b9d86632c823db621d92f6cca83749

A long time ago when a LAMP box of mine got hacked.. they installed a
program in /tmp/<random characters>  that would connect to IRC
servers.  Basicly they made my box a bot.   The way I found it was I
saw outgoing IRC connections when I was in netstat looking for
something else.

They got me thorugh and expolit in awstats which I no longer run.
The only way I was sure that I got rid of the hack was I wiped and
reloaded the machine from scratch.

Long of it is.. check for odd processes as well.
-- 
gentoo-user@gentoo.org mailing list