<div>My bad, I was looking at the log wrong. I thought a process was being executed by this 'Mark' but it was, in actual fact, crontab running the process.</div>
<div> </div>
<div>Still, nothing wrong with running a chkrootkit and rkhunter every now and then. Don't forget to remove them after installing them so the binary's themselves don't become infected.<br><br> </div>
<div><span class="gmail_quote">On 5/21/08, <b class="gmail_sendername">Bryn Salisbury</b> <<a href="mailto:bryn.salisbury@gmail.com">bryn.salisbury@gmail.com</a>> wrote:</span>
<blockquote class="gmail_quote" style="PADDING-LEFT: 1ex; MARGIN: 0px 0px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Michael,<br><br>2008/5/21 Michael Crilly <<a href="mailto:e-mail@mcrilly.co.uk">e-mail@mcrilly.co.uk</a>>:<br>
> You've been cracked by the looks of it. It looks as though someone has<br>> broken in and then probed the system, for various features and also tried to<br>> start a service, possibly an old version with a known exploit in it (so they<br>
> have a point to exploit in future)<br><br>What log lines are you looking at? I could be having a "can't see the<br>wood from the trees" moment here...<br><br>B<br><br>_______________________________________________<br>
Chester mailing list<br><a href="mailto:Chester@mailman.lug.org.uk">Chester@mailman.lug.org.uk</a><br><a href="https://mailman.lug.org.uk/mailman/listinfo/chester">https://mailman.lug.org.uk/mailman/listinfo/chester</a><br>
</blockquote></div><br><br clear="all"><br>-- <br>M. T. Crilly<br><a href="http://www.mcrilly.co.uk/">http://www.mcrilly.co.uk/</a>