Ar an Tuesday 28 May 2002 12:10, scriobh tu:
> Hi Barry,
>> there's only really 2 options here:
>> 1/ Someone with appropriate access put the "crond " file there,
> because they don't understand/cannot use the installed version of
> cron.
That's a definite no - firstly the new file has a space as the last
character in the name - presumably to make it appear perfectly natual
when doing an ls, but so that the real crond will be called when
entered via the command line. Good idea actually! (if not a bit
unfortunate for me)
> 2/ Your worst nightmare has come true, and you've been
> hacked.
I think that's a definite.
What I really want to know is has anyone else seen a similar hack
before?
> The mail doesn't show the ownership of the file itself. I'd take it
> to be root??
Yeah root
>> Check what else may have happened on that system at that point in
> time. Check for other files that may have changed around that time
> as well... Has anyone _seemingly_ tampered with /var/log/* files
> (to cover tracks)?
I've checked all the log files - it actually looks like there's a gap
in and around the time of the hack on some of them - such as
messages, etc.
--
Regards,
Barry O'Donovan barry.odonovan at ucd.ie
Mobile: +353 (0)86 2891589, Office: +353 (0)1 716 2454
Roinn na Riomheolaiochta, An Colaiste Ollscoile, Baile Atha Cliath.
Department of Computer Science, University College Dublin.
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
