[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ale] Cannot chown unowned files
On Wed, 2005-08-24 at 12:49 -0400, C. Lee Davis wrote:
> Randy C. Ramsdell wrote:
> > It would probably be a really good idea to some sort of analysis of the
> > system t find out how the compromise occurred. This way you won't eneble
> > the same server that obviously has an issue.
> Absolutely. I'm FTPing the logs off now. Thanks for the advice. If I
> can't figure it out, you guys will definitely hear.
> Ale mailing list
> Ale at ale.org
Just some info: A good hack or rootkit will clean the clean logs.
1. Don't reboot
2. check .bash_history if you are using bash.
3. run lsof <--- this is missed a lot by rootkits
4. copy known good ps, ls, netstat, etc ... commands and use those.
5. check for "..." directories etc..
6. etc... More if you really want to dig deep into this