Re: possibly compromised redhat 7.2 box

• Previous message: Chris Goodwin: "RE: restricted management for some users."
• Maybe in reply to: Melissa McGillis: "possibly compromised redhat 7.2 box"
• Next in thread: James Turnbull: "Re: possibly compromised redhat 7.2 box"
• Reply: James Turnbull: "Re: possibly compromised redhat 7.2 box"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 21 May 2004 09:46:33 -0700
To: <mcgillim@cis.uab.edu>, <security-basics@securityfocus.com>

http://www.chkrootkit.org

That site is a good start. then from there I like to check the /var/log directory, run dmesg and see if the port was ever put in listening mode. Bring over a clean ps, ls, du, df, lsof, netstat and from there you can start to get a real picture of the machine.

Eric Gunnett
System Administrator
Zoovy, Inc.
eric@zoovy.com

>>> "Melissa McGillis" <mcgillim@cis.uab.edu> 05/20/04 12:17PM >>>
Hello,

I have a redhat 7.2 server that stopped accepting my ssh login. I can still
use my login at the terminal. I also noticed that the host key changed. My
only guess at this point is that the box was probably compromised. Any good
software out there to help me figure it out? Any other ideas as to what
would cause this?
Anything helps,
Melissa
(THIS IS IN NO WAY AFFILIATED WITH UAB. It's just the address I use for
lists.)

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------

• Previous message: Chris Goodwin: "RE: restricted management for some users."
• Maybe in reply to: Melissa McGillis: "possibly compromised redhat 7.2 box"
• Next in thread: James Turnbull: "Re: possibly compromised redhat 7.2 box"
• Reply: James Turnbull: "Re: possibly compromised redhat 7.2 box"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: Removing Local Admin Rights... ... Ethical Hacking at the InfoSec Institute. ... to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of in-the-field ... pen testing experience in our state of the art hacking lab. ... (Security-Basics) RE: HIPAA_Compliance ... Ethical Hacking at the InfoSec Institute. ... to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of in-the-field ... pen testing experience in our state of the art hacking lab. ... (Security-Basics) RE: Cisco CSA ... Ethical Hacking at the InfoSec Institute. ... to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of in-the-field ... pen testing experience in our state of the art hacking lab. ... (Security-Basics) RE: Minimum password requirements ... Ethical Hacking at the InfoSec Institute. ... to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of in-the-field ... pen testing experience in our state of the art hacking lab. ... (Security-Basics) Betr.: RE: fax software in the domain ... Ethical Hacking at the InfoSec Institute. ... to facilitate one-on-one interaction with one of our expert instructors. ... pen testing experience in our state of the art hacking lab. ... Attend a course taught by an expert instructor with years of in-the-field ... (Security-Basics)