It's possible that those mystery processes only ran one time and covered up their activity afterwards, or maybe they run at some regular interval, who knows. Personally, I would sleep better at night after rebuilding the box. Also, I would recommend that you have different passwords for different sites. You don't want a security hole at one site completely opening your boxes at another site (as was the case with you). It's even better if each box has a different password from all the others. ~M On Wed, 19 Jun 2002, technomage wrote: > according to the "last" command, he logged in as a user on one of my accounts > and was on for 6 minutes. > > I checked elsewhere and found that there had been no other activity (even to > checking the backups of some of the history files that are made each hour). > > after than, I checked to make sure there weren't any outbound connections to > his IP range (there weren't). I used a clean box as a sniffer for this. I > then proceeded to change all system passwords and user account passowrds. > Then, I loaded clean versions of rpm, etc and proceeded to do a package > verification. I even did md5 checksum comparisons and sig checking. > > I checked with a couple of folks I know in the computer security field (one > of whom is currently serving duty with the US navy at their fascility in > southern california (the USN Naval Post Graduate School). Given information > from him (and others), I made an assumption that the intruder hadn't gotten > very far into my system, and that since all passwords were changed > immediately following the incident AND that the offending ip range > (ns.rotind.ro) was placed in iptables as immediate drop, I saw no other > incursions until yesterday evening. > > what I find odd is that the incursion didn't stick. said "invisible > processes" that wer recorded before aren't there now. > > just as a measure, I also made sure that my system has current patches for > apache (which I do run a webserver here on port 8000) and I've tested any cgi > scripts and other things using a tool called nessus. > > so far, after the last 12 hours, I can't seem to find any evidence that an > incursion (intrusion) has taken place other than that 1 log entry written by > chkrootkit that one time. > > so, I'm at a loss. am I trojaned or not? > > Technomage > > On Wednesday 19 June 2002 12:55 pm, you wrote: > > --- technomage wrote: > > > ok, > > > > > > > > > as a safety measure when I first found an intruder on my system some > > > weeks back, I changed all passwords, ran chattr +ui on some specified > > > directories > > > > > > > > Hmm.... the fact that you had an intruder is not a good sign. Even though > > you changed the passwords, etc, there may have already been someting in > > place that passed that info back to the intruder. Any idea on how long the > > intruder had access to your system? > > > > Personally, I would cut my loses - print (yes print) any config files that > > you want to re-implement, wipe the box and re-install from scratch. > > > > Or > > > > if you have the disk to spare, rebuild the system on a new disk. Once > > done, mount up the old disk - dont run anything from it - and give it a > > thorough going over - see if you can figure out what was done to compromise > > the system. > > > > __________________________________________________ > > Do You Yahoo!? > > Yahoo! - Official partner of 2002 FIFA World Cup > > http://fifaworldcup.yahoo.com > > ________________________________________________ > > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't > > post to the list quickly and you use Netscape to write mail. > > > > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > > -- > I will not be pushed, filed, stamped, indexed, briefed, debriefed, or > numbered! > My life is my own - No. 6 > ________________________________________________ > See http://PLUG.phoenix.az.us/navigator-mail.shtml if your mail doesn't post to the list quickly and you use Netscape to write mail. > > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss >