[lug] Fun with being hacked

Scott A. Herod herod at interact-tv.com
Tue Aug 14 10:15:19 MDT 2001

HEROLD wrote:


> Does gdm normally have a passwd?  there is a gdm listed in the user
> accounts, but I thought that was just so gnome could do it's thing?
> Should I password it next time?
> In general, since RH7.1 does not install the xwindows linuxconf, what's
> a quick way to find out what services are running on a machine?
> Thanks,
> Keith

My gdm account is not enabled.

There are a couple of things to check although often these files are
replaced to hide the root kit.  Since you're seeing messages showing
connections, I suspect that the cracker wasn't very sophisticated.

First, use rpm to verify some executables; namely those that provide
netstat, ls, ps, and lsof.  For example:

rpm --verify `rpm --query -f \`which netstat\``

(notice those are back quotes).  The above should return without
any errors.  Of course, it is possible that rpm was replaced so as not
to show errors.  Also, they might have installed a kernel module so that
the kernel lies and all of this is pointless.

Use netstat -a to see what ports are being listened to.

Use lsof -i to see what executables are listening to ports.

If you find out how they came in, let us know.


More information about the LUG mailing list