* Chris Metzler <[EMAIL PROTECTED]> [2004-07-22 22:18]: > On Thu, 22 Jul 2004 17:42:53 -0500 > Paul Stolp <[EMAIL PROTECTED]> wrote: > > > > shutdown -h now ! > > Believe it or not, this is often a bad idea. It's often easier to > determine the scope of a compromise by watching the intrude for a little > while than to attempt to find out afterwards with forensics.
I thought this afterwards, but it appears the attacker went away empty handed anyways. He was already logged out when I noticed the high load. He tried to kill the "t" program, but couldn't. I suspect he was somewhat inept (as was I with the pathetic password I assigned to the guest account!) in reviewing the logs and bash history, it becomes fairly easy to piece together. I will definitely consider your advice when I'm in this situation again. > > > look for damage, whew, I was O.K. > > How did you determine this? chkrootkit and, more satisfying to me, md5sums of some key binaries. Thanks, Paul -- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
