[techtalk] bind problem...and a sendmail one, too

[Nicole Zimmerman]

> Looks like you might have been hacked.  I'd also look for other strange
> stuff, ie check your logs for strange things and strange omissions, look
> for recently changed files that you dont know anything about, look for
> anything unusual in ps, netstat, lsof.
> 
> If you really want to be safe, format and reinstall everything.  If you
> don't want to do that, don't run any services you don't need, set up a
> firewall, and keep an eye on things, etc.

This is interesting:

[root at ghettoBOX cron]# cd /var/spool/cron
[root at ghettoBOX cron]# ls -l
total 1
-rw-------   1 root     root          202 Nov  3 17:34 root
[root at ghettoBOX cron]# cat root
# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (cron installed on Wed Nov  3 17:34:09 1999)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp
$)
* * * * *       /tmp/ns
[root at ghettoBOX cron]#

(i looked in crond's man to find out where the hell it was looking for
this crontab job)

but /usr/sbin/crond says it was created april 14

*shrug* nothing strange in ps or netstat... no odd things appearing in
logs, no connections from those IP addys in any logs I saw. 

We're actually going to be installing a new hard drive and ditching the
one's we're currently on. Since I didn't start this system from the
bottom, I have to rely on my hubby to at least tell me the bare bones
(what he installed), but he usually says "uhh I don't know" which
doesn't really help. 

Obviously whatever "hack" this was didn't work the way they wished it
to. I'll look back into strace.out and see what I missed, if anything.

I relocated the /var/spool/cron/root file, the /tmp/cron file, and the
/tmp/ns file. They're not gone, just moved. I'll try looking up some
more info tomorrow (maybe astalavista or something that'd give me the
other side of things). Try finding out who the IPs belong to...

-nicole

************
techtalk at linuxchix.org   http://www.linuxchix.org