Related to root login
Tim Wunder
tim
Mon May 17 11:51:35 PDT 2004
On Monday 25 August 2003 10:46 pm, someone claiming to be burns wrote:
> On Mon, 2003-08-25 at 18:00, Swapana Ghosh wrote:
<snippage>
> > ~
>
> This looks normal. But I would be very(!) suspicious of any system where
> logins, particularly root, have mysteriously changed - especially given
> the way you are telnetting in the clear.
>
> I recommend you unplug your box from the network and go through the logs
> with great care, looking for any hint of something out of place. A good
> cracker will try to cover his tracks, so the indicators may be very
> subtle. I don't suppose you were running Tripwire?
I've heard/read good things about:
http://www.chkrootkit.org/
Might be worth taking a look-see...
Regards,
Tim
--
RedHat 8.0 Kernel 2.4.20-19.8, KDE 3.1.3, Xfree86 4.2.1
10:50pm up 3 days, 4:48, 3 users, load average: 1.57, 0.99, 0.58
It's what you learn after you know it all that counts
More information about the Linux-users
mailing list