Was rummaging around on my server today. It's neglected (running RedHat 4.1 - Vanderbilt) but still works fine. I can't see why I should have to muck with things when they are working perfectly well. Urges like that are for my desktop and I can still remember when I lost all my data *3 years worth* trying to install OpenBSD and frying my partition table. NTFS sucks. I learnt that when I was trying to walk the data structures in hopes of recovering a massive 600 MB backup file that held all my data :-). I failed miserably die to lack of documentation. NTFS sucks.

Point is, when on my server, I was trying to detect any intruders. Of course, I can't see anyone else on it. No strange files and no strange processes. But I've heard of rootkits.

Running netstat -a reveals some strange information. Process running that open a port very high up 56000 range. Could be anything. Telnetting to it reveals a strange message, "-1 Hostname/IP address not recognized"

On a hunch I change my root password and run another netstat -a. This time I see a connection to some other machine coming from sendmail of all processes! Eeeeck. Intruder! He's sending my root password to himself. Hope I can make that the biggest mistake he ever made.

I suspect he/they have been around for a long time. I'll have to start watching them now. This could be fun. But have to make sure I back up all my data first! They already disconnect me when I start to delete certain files.

Who knows what else they could do ...

Sometimes I feel like a weenie who doesn't know jack. Other times I feel good, like when I caught this intruder. Like I'm smart. Knock on wood. Hope I can get certified one day as a master. It's a long journey of many small steps but the peer review process makes you work harder.

It's also my first post and first time on Advogato ... My journey begins here.