[ale] Is it hacked?

[Ken Nagorski]

Hi there,

	I have a question about security. OK... Check this out. A guy I
know runs a web server. Him and this other kid have root. I just help him
out in a jam and do some of the more sophisticated stuff for him, (not
that I wanna sound like I am tooting my own horn, just so you know where I
am coming from) Anyway, it seems that friday the root passwd + account
went away. Hmm, sounds like it has been hacked right? Well I am not so
sure. We where able to re-create the account with webmin. I am not sure
how webmin was able to log in, regardless... Webmin saved the day, or so
to speak I guess.
	So I got in and looked around, can't find any signs of a hack,
doesn't look like ps or ls, or anything has been replaced, doesn't
look like there is anything funny coming from netstat, no strange
ports. There isn't anything in top that looks odd. I think that somehow
either one of the other two guys screwed up.
	But, maybe I think I am not looking in the right places, I found
one odd thing in the /root/.bash_history This line right here.
vi NEED PASSWORD ?.html
What is that? It's strange but If I hacked you box and had to do somehting
funky as that. I would delete it from the .bash_history no?
	OK, the point of all this is, what else could I look for. Maybe
there are some people that have a little more experience with hackers and
security? 

Thanks
Ken

-- 
I've got all the money I'll ever need if I die by 4 o'clock.
                -- Henny Youngman


--
To unsubscribe: mail majordomo at ale.org with "unsubscribe ale" in message body.