[wplug] Need help with a snort alert. Did my box get hacked?
Tom Rhodes
trhodes at FreeBSD.org
Fri Oct 21 20:17:26 EDT 2005
On Fri, 21 Oct 2005 09:12:49 -0400
Chris Romano <romano.chris at gmail.com> wrote:
> I came in this moring and checked my snort alerts (morning routine), and
> noticed the following:
>
[SNIP]
>
> Can anyone me verify that I wasn't hacked?
Umm, you have rk hunter installed? No? Install it! And enable
process accounting so the next time this happens, you have
something to check. Look for something like this from chrootkit:
Checking `bindshell'... INFECTED (PORTS: 1008)
Checking `lkm'... You have 1 process hidden for readdir command
You have 1 process hidden for ps command
Warning: Possible LKM Trojan installed
In the meantime, this looks like a false positive if:
Port 2121 is closed;
You are not using PHP;
chrootkit returns nothing.
--
Tom Rhodes
More information about the wplug
mailing list