Service: ingreslock (tcp/1524) (,none,eth0) - 3 packets
Benjamin J. Weiss
benjamin at birdvet.org
Tue Feb 1 15:14:03 UTC 2005
Kevin Passey wrote:
>Hi all,
>
>I found this in my LogWatch so I started Googling and became very nervous that I had been hacked.
>
>I checked for all the various /tmp/bob files etc - installed chkrootkit and ran it - nothing !! I've blocked all the relevant outgoing traffic on my router/firewall and installed firestarter.
>
>
>
I would run chkrootkit from a live CD. Specifically, I'd download and
burn a LiveCD of knoppix-std or one of the others that has chrootkit,
then I'd reboot with that CD, mount your old filesystem, and run
chkrootkit that way. It's the only way to ensure that you don't have
hostile kernel modules hiding themselves. Of course, if you have been
rooted, I wouldn't expect that those log entries would have shown up...
Ben
More information about the redhat-list
mailing list