23 Jul 2000

Sun, 23 Jul 2000 03:47:27 GMT

Was rummaging around on my server today. It's neglected (running RedHat 4.1 - Vanderbilt) but still works fine. I can't see why I should have to muck with things when they are working perfectly well. Urges like that are for my desktop and I can still remember when I lost all my data *3 years worth* trying to install OpenBSD and frying my partition table. NTFS sucks. I learnt that when I was trying to walk the data structures in hopes of recovering a massive 600 MB backup file that held all my data :-). I failed miserably die to lack of documentation. NTFS sucks.

Point is, when on my server, I was trying to detect any intruders. Of course, I can't see anyone else on it. No strange files and no strange processes. But I've heard of rootkits.

Running netstat -a reveals some strange information. Process running that open a port very high up 56000 range. Could be anything. Telnetting to it reveals a strange message, "-1 Hostname/IP address not recognized"

On a hunch I change my root password and run another netstat -a. This time I see a connection to some other machine coming from sendmail of all processes! Eeeeck. Intruder! He's sending my root password to himself. Hope I can make that the biggest mistake he ever made.

I suspect he/they have been around for a long time. I'll have to start watching them now. This could be fun. But have to make sure I back up all my data first! They already disconnect me when I start to delete certain files.

Who knows what else they could do ...

Sometimes I feel like a weenie who doesn't know jack. Other times I feel good, like when I caught this intruder. Like I'm smart. Knock on wood. Hope I can get certified one day as a master. It's a long journey of many small steps but the peer review process makes you work harder.

It's also my first post and first time on Advogato ... My journey begins here.

Advogato blog for Incognegro

23 Jul 2000