On Wed, 2005-04-27 at 14:15 +0200, Daniel Kirsten wrote: > >meaning that they did gain root access after all but were able to hide this > through a >rootkit??? > > > >/Håkan > > They tried to login as root, but according to /var/log/secure, they used a > wrong password. Lateron, they probably gained root access in order to > manipulate files which have write access only to root. > That's a very good reason to use swatch to move them to the firewall on the first try. For the hell of it, we use tarpit for this purpose which is the proverbial "Roach Motel." -- Multi-RBL Check: http://www.TQMcube.com/rblcheck.htm Kill Spam at the Source: http://www.TQMcube.com/spam_trap.htm Today's Spam Trap Adds: http://www.TQMcube.com/BlockedToday RBLDNSD HowTo: http://www.TQMcube.com/rbldnsd.htm
