If your machien has been broken into, the only way to clean it up is to reformat and reinstall. They cannot trust any binary left on the system (including the kernel) so you won't truely know when you've cleaned it up. Scott On Wed, 1 May 2002, Michael Long wrote:
It appears that my computer has been hacked into. The following services are run periodically throughout the day. How do I go about finding out what is starting and stopping them and more importantly prevent them from being run.
I have a hardware firewall between the computer and isp.
17762 root sh -c (safe_finger -l @64.213.97.247 2>&1| /bin/mail -s "in.ftpd-64.213.97.247 unknown" root) & 17763 nobody safe_finger -l @64.213.97.247 17764 root /bin/mail -s in.ftpd-64.213.97.247 unknown root 17765 nobody finger -l 64.213.97.247 17768 root /usr/sbin/sshd 17770 root sh -c (safe_finger -l @::ffff:64.213.97.247 2>&1| /bin/mail -s "sshd-::ffff:64.213.97.247 unknown" root) & 17771 nobody safe_finger -l @::ffff:64.213.97.247 17772 root /bin/mail -s sshd-::ffff:64.213.97.247 unknown root 17773 nobody finger -l ::ffff:64.213.97.247
Thanks, Mike
_______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug