Mailing List Archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] Repairing a Possible Attack



But, if there is an easier way to get at the problem and close
the barn doors ...

Thought of a few things that can help in tracking down stuff on a host if it's been compromised.

You can use the last command to see which users have logged onto the system and from what ip addresses. I'd also check the system logs, /var/log/messages and company and see if there is anything that looks out of the ordinary. Check the current running processes and see if their looks like anything out of the ordinary and do a port scan of the host (nmap) to see if it has any open ports that you know shouldn't be open. If you see an open port that you are not sure about you can see what is using it by using the lsof -i:<port_num> command.

I'm sure there is a lot more that can be done too but that's a start.

 
--
Romeo Theriault
System Administrator
Information Technology Services

Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links