On Sat, 3 Mar 2001, Rilindo Foster wrote:
> Feb 27 22:35:35 redhserver rpc.statd[360]: gethostbyname error for
> ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿bffff750 8049710 8052c28687
...
> Feb 27 22:38:20 redhserver adduser[3642]: new user: name=sql, uid=0, gid=0,
> home=/bin, shell=/bin/bash
DANGER, DANGER WILL ROBINSON!
That definitely looks like you've been hacked.
rpc.statd is one of those notorious security holes. There are updates
fixing all the known exploits, but I'm guessing this was done before you
had a chance to install them.
The next part shows someone adding a user account 'sql' with the same uid
as root. Basically, it is a backdoor account and has no legitimate
purpose.
thornton
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
