[NCLUG] FW: strange message sent to root
Michael Dwyer
mdwyer at sixthdimension.com
Mon Feb 26 17:46:50 MST 2001
> > I've never seen anything like that before on a Slack system. Check the
> > system logs (/var/log/messges) for any further mail traces. Also, check
the
> > crontabs (crontab -l <username>) to see if there is a timed event
causing
> > these. It LOOKS like it was
> > sent local-to-local, so it is likely from your local machine. You you
> > recently install
> > some intrusion detection software?
>
> haven't installed anything new lately. in fact, the last couple months
i've
> been spending most of my free time learning as much as i can about my
system
> and how it works. there isn't much going on in my box. i went thru the
logs
> with my boss today and nothing stands out.
Ummm... Can I see? Is your machine reachable via the internet?
It really sounds like there is a process started that shouldn't be. Check
the
output of ktop (a windowy program) versus the output of "ps -aux" from
the command line. They should more-or-less match. If you find anything
different, then your /bin/ps has been replaced and is probably hiding things
from you.
If it does match, you might send the output of "ps aux" to us. I have a
pretty good idea of what should be there. (You might just send it to me
instead of to everybody...) (n0zap @yahoo.com)
Here is another one to test. This is from a Slack 7.1.0 box. Yours should
be the same.
# md5sum /bin/ls
a237c4817e3220e1a2277096f1baab7a /bin/ls
More information about the NCLUG
mailing list