On Wed, May 01, 2002 at 03:55:11PM -0400, Michael Long wrote:
It appears that my computer has been hacked into. The following services are run periodically throughout the day. How do I go about finding out what is starting and stopping them and more importantly prevent them from being run.
I have a hardware firewall between the computer and isp.
17762 root sh -c (safe_finger -l @64.213.97.247 2>&1| /bin/mail -s "in.ftpd-64.213.97.247 unknown" root) & 17763 nobody safe_finger -l @64.213.97.247 17764 root /bin/mail -s in.ftpd-64.213.97.247 unknown root 17765 nobody finger -l 64.213.97.247 17768 root /usr/sbin/sshd 17770 root sh -c (safe_finger -l @::ffff:64.213.97.247 2>&1| /bin/mail -s "sshd-::ffff:64.213.97.247 unknown" root) & 17771 nobody safe_finger -l @::ffff:64.213.97.247 17772 root /bin/mail -s sshd-::ffff:64.213.97.247 unknown root 17773 nobody finger -l ::ffff:64.213.97.247
These look like commands generated by tcpwrappers. Check your /etc/hosts.allow and /etc/hosts.deny files. -- Frank Sweetser fs at wpi.edu, fs at suave.net | $ x 18 Full-time WPI Network Engineer, Part time Linux/Perl guy | Woody: What's the latest, Mr. Peterson? Norm: Zsa-Zsa marries a millionaire, Peterson drinks a beer. Film at eleven. -- Cheers, Knights of the Scimitar