Re: Intrusion what to do ?

Student Student Thu, 05 Apr 2001 13:52:46 -0700
Mitchell,
I have already tried 'lionfind' and 'adorefind'
scripts, But they said it was clean.
Then i ran MD5, this is my out put:

.......T c /etc/hosts.allow
S.5....T c /etc/services
S.5....T c /etc/localtime
.......T c /etc/nsswitch.conf
S.5....T c /etc/bashrc
S.5....T c /etc/info-dir
.M.....T c /usr/X11R6/lib/X11/fonts/Speedo/fonts.dir
.M.....T c /usr/X11R6/lib/X11/fonts/Type1/fonts.dir
SM5....T c /usr/X11R6/lib/X11/fonts/misc/fonts.dir
SM5....T   /bin/ps
SM5....T   /usr/bin/top
.......T c /etc/syslog.conf
SM5....T c /etc/inittab
missing    /etc/ppp/ip-down
missing    /etc/ppp/ip-up
.......T c /etc/rc.d/rc.local
S.5....T c /etc/rc.d/rc.sysinit
S.5....T c /etc/sysconfig/network-scripts/ifcfg-lo
S.5..UGT c /etc/X11/fs/config
.M.....T c /usr/X11R6/lib/X11/fonts/75dpi/fonts.dir
.M......   /var/spool/at/.SEQ
.M......   /dev/hdc
.M......   /dev/log
.....UG.   /dev/tty0
......G.   /dev/tty1
......G.   /dev/tty2
......G.   /dev/tty3
......G.   /dev/tty4
......G.   /dev/tty5
......G.   /dev/tty6
.....UG.   /dev/tty7
.....U..   /dev/vcs1
.....U..   /dev/vcs2
.....U..   /dev/vcs3
.....U..   /dev/vcs4
.....U..   /dev/vcsa1
.....U..   /dev/vcsa2
.....U..   /dev/vcsa3
.....U..   /dev/vcsa4
S.5....T c /etc/mc.global
.......T c /usr/share/fonts/default/Type1/fonts.dir
S.5....T   /usr/share/fonts/fontmap
S.5....T   /usr/lib/umb-scheme/slibcat
S.5....T c /etc/sysconfig/pcmcia
.M...... c /etc/conf.linuxconf
.M......   /var/log/htmlaccess.log
.M......   /var/log/netconf.log
missing    /usr/sbin/lpd
S.5....T   /bin/netstat
S.5....T   /sbin/ifconfig
S.5....T c /etc/pam.d/passwd
S.5....T c /usr/share/pci.ids
missing    /etc/rc.d/init.d/portmap
S.5....T  
/usr/lib/python1.5/site-packages/cgiwrap.pyc
S.5....T  
/usr/lib/python1.5/site-packages/xmlrpclib.pyc
S.5....T   /usr/lib/rhs/python/Conf.pyc
S.5....T   /usr/lib/rhs/python/PasswordCrypt.pyc
S.5....T   /usr/lib/rhs/python/buttonbar.pyc
S.5....T   /usr/lib/rhs/python/foldertabs.pyc
S.5....T   /usr/lib/rhs/python/listbox.pyc
S.5....T   /usr/lib/rhs/python/rhdialog.pyc
S.5....T   /usr/lib/rhs/python/rhentry.pyc
S.5....T   /usr/lib/rhs/python/rhtkinter.pyc
S.5....T   /usr/lib/rhs/python/rhutil.pyc
S.5....T   /usr/lib/rhs/python/textbox.pyc
S.5....T c /etc/inetd.conf
......G.   /etc/aliases.db
S.5....T c /etc/mail/access
S.5....T c /etc/sendmail.cf
S.5....T c /etc/sendmail.mc
S.5....T   /var/log/sendmail.st
S.5....T   /usr/share/rhn/register/checklist.pyc
S.5....T   /usr/share/rhn/register/progress.pyc
S.5....T c /etc/pam.d/login
......G.   /var/spool/uucp
.......T c /etc/yp.conf
S.5....T   /boot/kernel.h
.......T c /etc/ftphosts
missing    /tmp/ltmodem/ltmodem.o
S.5....T c /etc/mgetty+sendfax/login.config
S.5....T   /usr/share/rhn/register/hardware.pyc
S.5....T   /usr/share/rhn/register/rhnreg.pyc
S.5....T   /usr/share/rhn/register/translate.pyc
S.5....T c /etc/sysconfig/rhn/up2date
S.5....T   /usr/share/rhn/up2date/config.pyc
S.5....T   /usr/share/rhn/up2date/translate.pyc
S.5....T   /usr/share/rhn/up2date/up2date.pyc

Now tell me what should i do?
Thanks, Kumar.
--- Mitchell Henderson <[EMAIL PROTECTED]> wrote:
> first goto sans and get the lion-find and adore-find
> scripts to be sure you got hacked.
> if you have than i'd re-install and _PATCH YOUR
> SYSTEM_. 
> also if you want to know what's on port 54321 use a
> tool called `lsof` it's very usefull
> 
> On Thu, Apr 05, 2001 at 01:55:39PM -0700, Student
> Student wrote:
> > Hello, 
> > I think i have been scanned/hacked ( worm
> Lion/Adore )
> > not really sure. But the symptoms are the same.
> > 
> > 1.)My 'ps', 'top', 'nfslock:rpc.locked' do not
> work
> > right.
> > 
> > 2.)tcp port at 54321 is at stet LISTEN
> > 
> > What is the best way to over come the problem.
> > 
> > Regards, 
> > Kumar.
> > 
> > 
> > __________________________________________________
> > Do You Yahoo!?
> > Get email at your own domain with Yahoo! Mail. 
> > http://personal.mail.yahoo.com/
> > 
> > 
> > 
> > _______________________________________________
> > Redhat-list mailing list
> > [EMAIL PROTECTED]
> >
>
https://listman.redhat.com/mailman/listinfo/redhat-list
> Mitchell Henderson            [EMAIL PROTECTED]
>                   314/935-4341    
> 
> 
> 
> _______________________________________________
> Redhat-list mailing list
> [EMAIL PROTECTED]
>
https://listman.redhat.com/mailman/listinfo/redhat-list


__________________________________________________
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail. 
http://personal.mail.yahoo.com/



_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
Re: Intrusion what to do ?

Reply via email to
