On Fri, 2005-25-11 at 23:21 +0530, Ritesh Raj Sarraf wrote: > That is what got confused my at first. Since there's no /usr/sbin/httpd > binary in a Debian based apache installation I was wondering how this was > being shown. And interestingly there was no /usr/sbin/httpd file present > also. If the system has been rooted, then you can't count on anything that is reported by ps. Probably one of those scripts in /tmp is being run and then it masquerades as being /usr/sbin/httpd, which on redhat systems and other *nix distributions would be considered inoquious. > That's the biggest challenge right now. I don't have physical access to the > system and I don't think my client will be able to bear my travelling > expenses. That does pose a problem. I don't know an easy way to validate the system and clean it while attacks are still happening, or even worse someone has a shell account onto the system. > chkrootkit came of no help. It reported that the system was absolutely fine. > I haven't tried tiger yet. Hmm, I'm pretty new to that tool and the tiger tool as well. So I'm not sure what else to suggest at this point. Hopefully others on this list and the debian-isp list will also be able to help out. -- o) Derek Wueppelmann (o (D . monkey@monkey.homeip.net D). ((` http://monkey.homeip.net/ ( ) `
Attachment:
signature.asc
Description: This is a digitally signed message part