[ale] Cannot chown unowned files

Randy C. Ramsdell rramsdell at adelphia.net
Wed Aug 24 13:04:40 EDT 2005


On Wed, 2005-08-24 at 12:49 -0400, C. Lee Davis wrote:
> Randy C. Ramsdell wrote:
> > It would probably be a really good idea to some sort of analysis of the
> > system t find out how the compromise occurred. This way you won't eneble
> > the same server that obviously has an issue.
> > 
> Absolutely.  I'm FTPing the logs off now.  Thanks for the advice.  If I
> can't figure it out, you guys will definitely hear.
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://www.ale.org/mailman/listinfo/ale

Just some info: A good hack or rootkit will clean the clean logs.

1. Don't reboot
2. check .bash_history if you are using bash.
3. run lsof <--- this is missed a lot by rootkits
4. copy known good ps, ls, netstat, etc ... commands and use those.
5. check for "..." directories etc..
6. etc... More if you really want to dig deep into this




More information about the Ale mailing list