Hi, > I couldn't find a foreign thing in .bash_history. Don't expect to. Any hacker with any sense, and a lot of rootkits, remove lines from logs and history files in order to cover up the intrusion. > I tried: 'telnet xxx.xxx.xxx.xxx 15000' and got 'Unable to connect' which > tells me that port 15000 is not open. Just to point out here, that's not always the case. 'telnet' attempts a TCP connection, but ports can also be opened to listen for UDP. One check you can do is to use 'netstat' to list all the listening ports, using the '-al' switches. Of course, you've got to have confidence in your copy of 'netstat' first. > How could I detect this hack ? This taken from the UK2RaQ list - Try the following command: md5sum /usr/sbin/named If you get 20a8796196848e0e393b2ec50da0aba4 then you're hacked, if not, then you're o.k. As has been stated in another reply, I'd suggest you join the UK2Raq list, as they know the specifics of this attack. Might I also suggest, installing an intrusion detection system, such as 'Tripwire' ? This will allow you to check for modified (ie, trojaned) system files. Best of luck, John
Sun Cobalt and Linux Support by Zeffie.com
Zeffie's Sun Cobalt User Forums
A Sun Cobalt and Linux Support Specialist Since 1999
Sun Cobalt Support, Repairs, Development, and Maintenance.
Home of the Worlds Largest Collection of Sun Cobalt Updates!
Sun Cobalt Spam Filter, Security, Firewall, Anti Virus Products.
734-454-9117 US Toll Free 800-231-4459 UK 0208-150-6860
Zeffie's Sun Cobalt Restore CD's
Zeffie's Sun Cobalt Updates
Sun Cobalt Users List
Sun Cobalt Security List
Sun Cobalt Developers List
Copyright 2009 by Electronic Consultants Inc.