On 7/7/06, Frank Elsner <Elsner@xxxxxxxxxxxxxxxx> wrote:
Oh YES. You'be been hacked. Recheck with "chkrootkit".
Thanks for the suggestion. I ran chkrootkit, and it was all not found/not infected/no suspect files. But there're just too many suspicious files such as S.?..... /usr/sbin/lpasswd S.?..... /usr/sbin/luseradd S.?..... /usr/sbin/luserdel S.?..... /usr/sbin/lusermod ... to believe it was a simple rpm database corruption.
Disconnect from net and re-install.
I'll do a reinstall, but I'd love to know where's the hole first, otherwise there's nothing to save me from the same thing happening again. Not that I know where to look... The usual suspects (portmap, sendmail, etc.) are not running, and I thought my firewall rules were pretty strict (who doesn't? :-)), iptables -L says Chain INPUT (policy ACCEPT) target prot opt source destination DROP tcp -- anywhere anywhere tcp dpts:0:1023 DROP udp -- anywhere anywhere udp dpts:0:1023 DROP tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN DROP icmp -- anywhere anywhere icmp echo-request Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1-INPUT (0 references) [there's more here, but hopefully, 0 references means that they're irrelevant] Andras
--Frank Elsner -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
