[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ale] Cannot chown unowned files



On Wed, 2005-08-24 at 12:49 -0400, C. Lee Davis wrote:
> Randy C. Ramsdell wrote:
> > It would probably be a really good idea to some sort of analysis of the
> > system t find out how the compromise occurred. This way you won't eneble
> > the same server that obviously has an issue.
> > 
> Absolutely.  I'm FTPing the logs off now.  Thanks for the advice.  If I
> can't figure it out, you guys will definitely hear.
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale

Just some info: A good hack or rootkit will clean the clean logs.

1. Don't reboot
2. check .bash_history if you are using bash.
3. run lsof <--- this is missed a lot by rootkits
4. copy known good ps, ls, netstat, etc ... commands and use those.
5. check for "..." directories etc..
6. etc... More if you really want to dig deep into this