Re: Tracking outgoing connection attempts to a file or PID...
From: Scott Seltzer (sseltz3@mindspring.com)
Date: 03/09/03
- Previous message: Colin McKinnon: "Re: Tracking outgoing connection attempts to a file or PID..."
- In reply to: spinlock: "Re: Tracking outgoing connection attempts to a file or PID..."
- Next in thread: Colin McKinnon: "Re: Tracking outgoing connection attempts to a file or PID..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: sseltz3@mindspring.com (Scott Seltzer) Date: 9 Mar 2003 14:04:56 -0800
spinlock <spinlockNO@SPAM7a69ezine.orgHERE> wrote in message news:<b4ebtr$5k1$1@nsnmrro2-gest.nuria.telefonica-data.net>...
>
> I think that your linux have been compromised, probably exploiting an
> apache bug, and the intruder instaled a good rootlkit (a kernel rootkit, i
> think) and binaries aren't modified because kernel syscalls are working as
> intruder want. Next, the intruder is using your linux box to scan network
> looking for an other vulnerable apache.
>
> To confirm my theory you may to reboot the system using an other kernel
> without LKM (loadable kernel module) suport and runing 'ps' you should see
> the intruder scaning proces.
>
> GL, man.
I think that you're right...
Booting the server in single user mode should prevent the LKM from
being loaded so that I can investigate...
Thanks
- Previous message: Colin McKinnon: "Re: Tracking outgoing connection attempts to a file or PID..."
- In reply to: spinlock: "Re: Tracking outgoing connection attempts to a file or PID..."
- Next in thread: Colin McKinnon: "Re: Tracking outgoing connection attempts to a file or PID..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
