try to verify the files. First type:
rpm -qf /bin/login
That will give you the package to verify against. Then type:
rpm -V the-package-name
The reason I suggested checking this routine is that it's the first
thing the cracker goes after.
As for the /var/log files, see if there's anything strange in messages
and xferlog. Of course, a cracker will usually try to remove log
entries.
While I'm being paranoid, I would want to satisfy myself that this isn't
they problem before I'd look elsewhere. If you haven't installed
tripwire, you should. Of course it's a little late for this if your
machine has been cracked. And make sure you have applied all the
security patches if you haven't been doing this.
I hope it's something else.
Fred
Scott Skrogstad wrote:
>
> I looked at /bin/login and it has a date of sept 9, 1999. What should I
> look for in the logs?
>
> Scott Skrogstad
> Computer Integration Inc,
> [EMAIL PROTECTED]
> 800-522-3475 Phone
>
> On Tue, 21 Mar 2000, Frederic Herman wrote:
>
> > One possibility. Your server was cracked. I'd look there first. Look
> > at your log files, see if files like /bin/login have been changed. If
> > you can rule this out, next thing to check is DNS.
> >
> > Fred
> >
> >
> > Scott Skrogstad wrote:
> > >
> > > Today I tried to telnet to one of my servers that is normaly very fast.
> > > And it took forever to get a login prompt. What could be the problem?
> > >
> > > Scott Skrogstad
> > > Computer Integration Inc,
> > > [EMAIL PROTECTED]
> > > 800-522-3475 Phone
> > >
> > > --
> > > To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
> > > as the Subject.
> >
> >
> > --
> > To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
> > as the Subject.
> >
>
> --
> To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
> as the Subject.
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.
