Has my server been hacked?
Matt Graham
linux at bizniche.com
Sun Nov 13 09:58:46 CST 2005
I wrote to this guy and asked him what he meant. There ARE a lot of
pictures of me and my sister on that website. Vacation pics and things.
I ran chkrootkit and the only (possibly) negative results I got were:
Checking `sniffer'... eth0: PF_PACKET(/sbin/dhclient)
Checking `chkutmp'... The tty of the following user process(es) were not
found
in /var/run/utmp !
Searching for suspicious files and dirs, it may take a while...
/usr/lib/j2se/1.4/jre/.systemPrefs
/usr/lib/j2se/1.4/jre/.systemPrefs/.systemRootModFile
/usr/lib/j2se/1.4/jre/.systemPrefs/.system.lock
/usr/lib/j2se/1.4/jre/.systemPrefs
I guess that since I even suspect that it's comproimised, I should reinstall.
Matt
> On Sun, 13 Nov 2005, Matt Graham wrote:
>
>> Hi. I got this email (below) from someone saying that my server is
>> attacking theirs. They used my IP in the subject line as well.
>>
>> Is this what happens when a system is rooted? If I suspect that this
>> has
>> happened, is my best option to reinstall?
>
>> Hello, I am not sure if you are aware that your server is conducting
>> a
>> vulnerability search and is continually hitting my server. I am
>> guessing
>> that you are unaware of it since the attacking IP is riddled with
>> personal
>> pictures of your self and your sister. Could you please look into
>> this
>> ASAP. Grant.
>
> Hunhh? I've never seen a "vulnerability search" that is "riddled with
> personal pictures" of "your sister".
>
> This looks like crap, did the email contain an attachment with a windows
> executable format by chance?
>
> And as to the question of what happens when a system is rooted, if it's
> rooted right you'll never even know.
>
> Regards,
>
> -Don
>
>
--
http://themdg.org
More information about the Kclug
mailing list