From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org) by nuthatch.gentoo.org with esmtp (Exim 4.62) (envelope-from ) id 1HG705-0008Mh-GP for garchives@archives.gentoo.org; Sun, 11 Feb 2007 05:11:45 +0000 Received: from robin.gentoo.org (localhost [127.0.0.1]) by robin.gentoo.org (8.14.0/8.14.0) with SMTP id l1B5AZC9023529; Sun, 11 Feb 2007 05:10:35 GMT Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by robin.gentoo.org (8.14.0/8.14.0) with ESMTP id l1B56WbO018990 for ; Sun, 11 Feb 2007 05:06:33 GMT Received: from localhost (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with ESMTP id 5CB9265209 for ; Sun, 11 Feb 2007 05:06:32 +0000 (UTC) X-Virus-Scanned: amavisd-new at gentoo.org X-Spam-Score: -2.542 X-Spam-Level: X-Spam-Status: No, score=-2.542 required=5.5 tests=[AWL=0.057, BAYES_00=-2.599] Received: from smtp.gentoo.org ([127.0.0.1]) by localhost (smtp.gentoo.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id This+WmJgX4x for ; Sun, 11 Feb 2007 05:06:21 +0000 (UTC) Received: from ciao.gmane.org (main.gmane.org [80.91.229.2]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTP id 2E20366A18 for ; Sun, 11 Feb 2007 05:05:26 +0000 (UTC) Received: from list by ciao.gmane.org with local (Exim 4.43) id 1HG6LI-0003yg-HP for gentoo-user@gentoo.org; Sun, 11 Feb 2007 05:29:36 +0100 Received: from grante.dsl.visi.com ([208.42.141.248]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 11 Feb 2007 05:29:36 +0100 Received: from grante by grante.dsl.visi.com with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sun, 11 Feb 2007 05:29:36 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: gentoo-user@lists.gentoo.org From: Grant Edwards Subject: [gentoo-user] Re: Did I just get hacked??? Date: Sun, 11 Feb 2007 04:29:24 +0000 (UTC) Message-ID: References: <49bf44f10702101827k199bf270yfb65ed1f4f5195e0@mail.gmail.com> <1171165124.381.9.camel@blackwidow.nbk> <8d634f4f0702102006w78f419acp14ddc64a8652693d@mail.gmail.com> X-Complaints-To: usenet@sea.gmane.org X-Gmane-NNTP-Posting-Host: grante.dsl.visi.com User-Agent: slrn/0.9.8.1 (Linux) Sender: news Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@gentoo.org Reply-to: gentoo-user@lists.gentoo.org X-Archives-Salt: 3db87f34-0689-4798-8bf1-1d28606b9e91 X-Archives-Hash: fd43af2e46516abc29213d010a161470 On 2007-02-11, Chris Nolan wrote: > A long time ago when a LAMP box of mine got hacked.. they installed a > program in /tmp/ that would connect to IRC > servers. Basicly they made my box a bot. The way I found it was I > saw outgoing IRC connections when I was in netstat looking for > something else. > > They got me thorugh and expolit in awstats which I no longer run. > The only way I was sure that I got rid of the hack was I wiped and > reloaded the machine from scratch. > > Long of it is.. check for odd processes as well. A good rootkit will install a "ps" that won't show the 'bot processes. The one time a machine of mine got hacked, netstat still worked, but I don't know why a hacked netstat couldn't be installed as well. Looking through /proc/ is probably still reliable. -- Grant Edwards grante Yow! I am deeply CONCERNED at and I want something GOOD visi.com for BREAKFAST! -- gentoo-user@gentoo.org mailing list