[NCLUG] FW: strange message sent to root
Quent
quent at pobox.com
Mon Feb 26 18:14:31 MST 2001
On Mon, Feb 26, 2001 at 05:46:50PM -0700, Michael Dwyer wrote:
> > > I've never seen anything like that before on a Slack system. Check the
> > > system logs (/var/log/messges) for any further mail traces. Also, check
> the
> > > crontabs (crontab -l <username>) to see if there is a timed event
> causing
> > > these. It LOOKS like it was
> > > sent local-to-local, so it is likely from your local machine. You you
> > > recently install
> > > some intrusion detection software?
> >
> > haven't installed anything new lately. in fact, the last couple months
> i've
> > been spending most of my free time learning as much as i can about my
> system
> > and how it works. there isn't much going on in my box. i went thru the
> logs
> > with my boss today and nothing stands out.
>
> Ummm... Can I see? Is your machine reachable via the internet?
>
> It really sounds like there is a process started that shouldn't be. Check
> the
> output of ktop (a windowy program) versus the output of "ps -aux" from
> the command line. They should more-or-less match. If you find anything
> different, then your /bin/ps has been replaced and is probably hiding things
> from you.
>
> If it does match, you might send the output of "ps aux" to us. I have a
> pretty good idea of what should be there. (You might just send it to me
> instead of to everybody...) (n0zap @yahoo.com)
>
> Here is another one to test. This is from a Slack 7.1.0 box. Yours should
> be the same.
> # md5sum /bin/ls
> a237c4817e3220e1a2277096f1baab7a /bin/ls
This assumes his md5sum hasn't been replaced.
Quent
More information about the NCLUG
mailing list