some unknown scripts

Matthew Carpenter matt
Mon May 17 12:01:43 PDT 2004 

This may be a problem and it may not be.  Before jumping to conclusions, 
remain calm.
Check over the system for any other oddities which might indicate any 
other strange behavior.
Check any verification signatures (aide or tripwire) and logs for oddities
If you need to seek deeper, set up a sniffer on the port this system is 
on.  Port Scan it for open ports the OS may not be showing. 
There are several root-kit detectors, one of which is chkrootkit, which 
check for the existence of a rootkit.  If your unix/linux system has 
been hacked, this isn't any simple worm, it is someone planning to stay 
a while (unless it's a theft and run deal like credit cards or corporate 
secrets, etc...)
Copy those files off the box to some other linux box and play around 
with them (NOT a production system, mind you, but a disposeable system, 
possibly even a VMWARE virtual machine you have a backup of and can 
dispose of).
Investigate the common utilities like rpm -V to verify the signatures of 
various packages, but keep in mind that normal packages have variances, 
most often in config files, and that these tools can be doctored to tell 
you nothing of consequence.
If you are convinced the system is compromized, copy RAM to a networked 
machine using dd | ssh  and then power down the box (not shutdown, power 
off hard) and create 3 copies of the HD using DD from a bootable distro 
onto other drives, clean if possible, but zeroed either way.

Let us know if you need more paranoid behavior, there is more where this 
came from.  Perhaps you could tell us a little about the purpose of the box?

HTH,
Matt
Swapana Ghosh wrote:

>Hi 
>
>     Our server is
>Redhat8.0...Today i noticed.. few files/scripts under the following
>directory.. Below i mentioned the path, please check under 'pwd'.
>There is an executable "xinetd" is there and i found it is running 
>in our server.. 
>
>    Do you think our server has been compromised ?  I was checking
>teh "mech.help" file which is here, it is seems it is some IRC
>program... As per i know, none of us installed these programs, in
>our server... moreover it is running with the userid "apache"....
>
>    It will be really appreciated if someone gives me some pointer....
>
>_____________________________________________________________________
>[root at server man]# pwd
>/var/spool/vbox/..     /.   /..  /man
>[root at server man]# ls -laQ
>total 212
>drwxr-xr-x    3 apache   apache       4096 Apr 26 15:01 "."
>drwxr-xr-x    3 apache   apache       4096 Apr 25 06:39 ".."
>-rw-r--r--    1 apache   apache        942 Apr  6  2001 "checkmech"
>-rw-r--r--    1 apache   apache      22935 Apr  6  2001 "mech.help"
>-rw-------    1 root     root        16384 Apr 26 15:01 ".mech.help.swp"
>-rw-r--r--    1 apache   apache       1011 Apr 26 12:00 "mech.levels"
>-rw-------    1 apache   apache          6 Apr 25 06:39 "mech.pid"
>-rw-r--r--    1 apache   apache        850 Apr 26 12:00 "mech.session"
>-rw-r--r--    1 apache   apache       1486 Apr  4 03:32 "mech.set"
>-rw-r--r--    1 apache   apache         81 Apr 26 12:00 "mh.users"
>drwxr-xr-x    2 apache   apache       4096 Apr  6  2001 "randfiles"
>-rwxr-xr-x    1 apache   apache     134924 Apr  6  2001 "xinetd"
>[root at server man]#
>____________________________________________________________________
>
>Thanks
>-Swapna
>
>
>	
>		
>__________________________________
>Do you Yahoo!?
>Yahoo! Photos: High-quality 4x6 digital prints for 25?
>http://photos.yahoo.com/ph/print_splash
>_______________________________________________
>Linux-users mailing list
>Linux-users at smtp.linux-sxs.org
>Unsubscribe/Suspend/Etc -> http://smtp.linux-sxs.org/mailman/listinfo/linux-users
>
>
>  
>

More information about the Linux-users mailing list