Results 1 to 6 of 6
  1. #1
    Join Date
    Aug 2004
    Location
    Tor-NY-BJ
    Posts
    330

    * Is the box hacked?

    Two weired things happened.

    1 after I su, I usded Arrow Up key to use the previous command, and I saw "last | more" which I never used. I checked last | more but so no IP other than from where I log in. Since I have used Su many times, it can not be from the initial setup.

    2 My Mem in Top has always been at least 20M regardless if there is hit on httpd or not. But one day suddenly it dropped to 10M. Since then, it always stays at 10M. So I wonder what made the Mem usage at 20M for 5 days then suddenly dropped back to 10M? Was it some process running in common name.

    I have 2 requests:

    1 How to check if the box is hacked?
    2 How to check the FULL path of the program running in TOP, since it only give me the brife name of the program, such as httpd, sshd, cron. I am worried the hacker may name their programs as httpd too

  2. #2
    Join Date
    Jul 2002
    Posts
    1,443
    ps -aux | grep programname
    Synergy Blue LLC
    SonataWeb.net | SynergyBlue.com
    USA should so something about: http://www.brillig.com/debt_clock/

  3. #3
    Join Date
    Nov 2004
    Location
    India
    Posts
    1,104
    Qllonceagain,

    It's advisable to have your system admin to do a security audit ASAP.
    AssistanZ - Beyond Boundaries...
    Cloudstack Consultancy / 24x7 Web Hosting Support / 24x7 Server Management / Infrastructure Management Services
    Web & Mobile Apps Development / Web Designing Services / Php, Grails, Java Development

  4. #4
    Join Date
    Jul 2002
    Posts
    3,734
    Use:

    top -c

    to get the whole command line.

  5. #5
    Join Date
    Mar 2003
    Location
    tail -f /var/log/nerd
    Posts
    318
    I just posted this 5 mins ago in another forum but install some root kit software and run it daily. Set up logwatch and look at your servers out put everyday.

    Chkrootkit: http://www.chkrootkit.org

    Root Kit Hunter: http://www.rootkit.nl/projects/rootkit_hunter.html


    Install both of them and run them on a cron daily to email you the results.

    If you are rooted then wipe the box and start fresh, it is the only way to be sure the hacker is out of your system.

    Best of luck to you,

    C
    Mega Hosters Inc. - The Last Host You Will Ever Need!
    Hsphere Control Panel, 24/7 Phone Support, EasyApp, Shared SSL, Daily Backups, Dedicated IPs, PHP4 & PHP5, FFMPEG, Legal Adult Content Allowed + More!
    Treating A Customer The Way They Should Be Treated For Over 5.5 Years Now!

  6. #6
    That is good advice. I would add that you can't count on the logs if the system has been compromised. Depending on what rootkit is running, you may not see anything unusual.

    Remember - these days most of the "root"ers out there now are pretty invested in flying under the radar so they can keep the box around as a spamming machine or to host phishing sites.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •