[Gllug] Have I been compromised??
John Hearns
john.hearns at cern.ch
Mon Sep 2 07:35:43 UTC 2002
On Mon, 2002-09-02 at 09:29, Chris Bell wrote:
> On Mon 02 Sep, omphe wrote:
> >
> > Need some advice. My apache logs show a few entries from outside
> > addresses, everything else coming from the localhost address. All
> > outside requests have been responded to with 404's or 405's.
> > Chkrootkit detected nothing. The history binary is in order. ps seems
> > to be working fine. Have I been compromised?
> >
> > My inexperience tells me to reinstall, keeping only non-binaries in my
> > backups. Need I clean off my windows partition as well? Not sure if
> > I'm being paranoid or not.
> >
> > Could use some guidance.
> >
> > Thanks
> >
> >
> > Branden Faulls
> >
>
> Would they be visits from well known search engines scanning for web sites?
>
I should not weigh in here, but I would check on network, routing and
DNS issues first.
Easiest way to do this might be to browse your site from a box on
another network, or have a few GLLUG people do this (discussion
off-list!) whilst you are doing a tail -f on your logs.
Is there anything else which makes you suspect that you have been
compromised?
--
Gllug mailing list - Gllug at linux.co.uk
http://list.ftech.net/mailman/listinfo/gllug
More information about the GLLUG
mailing list