how to tell when you have a hacker?

Mike bmike101 at cox.net
Fri Feb 17 21:37:33 MST 2006 

Well, it seems it is all okay (not that I would know). I suppose I should run 
chkroot kit daily and see if anything new shoes up.

and I do disconnect the network (if down eth0 or power off).... I don't leave 
my computer on overnight (usually) or even on durring the day..

bmike1 at 0[bmike1]$ sudo env
SSH_AGENT_PID=2476
TERM=xterm
SHELL=/bin/bash
XDM_MANAGED=/var/run/xdmctl/xdmctl-:0,maysd,mayfn,sched,rsvd
QTDIR=/usr/share/qt3
OLDPWD=/home/bmike1
USER=root
SSH_AUTH_SOCK=/tmp/ssh-aJsV2448/agent.2448
KDEDIR=/usr
KONSOLE_DCOP=DCOPRef(konqueror-26933,konsole)
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/
bin
KONSOLE_DCOP_SESSION=DCOPRef(konqueror-26933,session-1)
PWD=/home/bmike1
LANG=en_US
HOME=/home/bmike1
SHLVL=1
LOGNAME=root
DISPLAY=:0
_=/usr/bin/sudo
SUDO_COMMAND=/usr/bin/env
SUDO_USER=bmike1
SUDO_UID=1000
SUDO_GID=1000
bmike1 at 0[bmike1]$ ls -l /tmp/ssh-aJsV2448/agent.2448
srwxr-xr-x    1 bmike1   bmike1          0 2006-02-17 16:47 /tmp/ssh-aJsV2448/
agent.2448
bmike1 at 0[bmike1]$ ls -l /tmp/ssh-*/agent*
srwxr-xr-x    1 bmike1   bmike1          0 2006-02-17 16:47 /tmp/ssh-aJsV2448/
agent.2448
bmike1 at 0[bmike1]$



On Friday 17 February 2006 07:58 pm, Mike wrote:
> uh-ohhh
>
> 	Checking `sshd' ... /usr/bin/strings: Warning: `/' is not an ordinary file
> 	not infected
>
> 	Checking 'lkm' ... You have      4 process hidden for ps command
> 	Warning: Possible LKM Trojan installed
>
> Is this bad?
>
> On Friday 17 February 2006 07:17 pm, Mike Garfias wrote:
> > try chkrootkit
> >
> > Mike spoke forth with the blessed manuscript:
> > > how do you do it? I mean, will there be a new process (ps -e) or
> > > something?
> > >
> > > ---------------------------------------------------
> > > PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> > > To subscribe, unsubscribe, or to change  you mail settings:
> > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
> >
> > ---------------------------------------------------
> > PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> > To subscribe, unsubscribe, or to change  you mail settings:
> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change  you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

More information about the PLUG-discuss mailing list