On Fri, Nov 16, 2001 at 03:10:42PM -0600, John J. Trammell wrote:
> On Fri, Nov 16, 2001 at 01:14:27PM -0600, Florin Iucha wrote:
> > On Fri, Nov 16, 2001 at 10:58:48AM -0600, Ursula A. Kallio wrote:
> > > Now you have me curious. Any reason why you would "PULL THE NETWORK AND
> > > THE POWER PLUGS!"? Please explain what you are reacting to.
> >
> > Because he has been cracked. Pulling the network stops the crackers from
> > communicating with the probes. Pulling the plug and then mounting the
> > harddrive in a different computer to get information about the breach.
>
> ROFL! I think the question is, "How do you know he has been cracked?",
> based on what he said?
And if the attackers decided to use the numbers of seconds since epoch for
the process name, Google would get no hits as well...
> Admittely, those are suspicious-looking process names;
> do you recognize them? Google has no hits.
Do I need to? I have _never_ _ever_ met any legitimate processes with
similar names. I bet there is no Linux|*BSD distribution that has such
process names in their packages.
There are three possibilities:
1. somebody named his programs that way
1. somebody with legitimate access
2. somebody with illegitimate access
2. there is ondisk corruption (and I dare you to compute the probabilities
that the same corruption occured in the directory contents and the
eventual script that started the app)
> > And then reformat everything and do a clean reinstall/restore from backups.
>
> Of course, if there's reasonable suspicion.
So do you still think he was not hacked?
florin
--
"If it's not broken, let's fix it till it is."
41A9 2BDE 8E11 F1C5 87A6 03EE 34B3 E075 3B90 DFE4
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 230 bytes
Desc: not available
Url : http://shadowknight.real-time.com/pipermail/tclug-list/attachments/20011116/a322ff45/attachment.pgp