intrusion tracking
Joe Zeff
joe at zeff.us
Thu Jan 27 00:07:45 UTC 2011
On 01/26/2011 01:06 PM, Wolfgang S. Rupprecht wrote:
> Oh, I'm sure there was an initial user-level attack that I haven't found
> yet and probably won't.
Check /etc/passwd for users you don't recognize.
grep -v nologin /etc/passwd
will give you a list of users who can log in. The few who aren't
regular users, such as halt and shutdown will probably have obvious
"shells." On my system, the only such "user" with /bin/bash is mysql.
If one of the intruders did create a new account, it should jump out at
you. And, of course, if you haven't changed the root password, do it now!
More information about the users
mailing list