Hmmm, looks like I'm weighing into this discussion a little late, but I've been working in Asia (Singapore and Hong Kong) for the last couple of weeks and haven't had a chance to catch up on "non-critical" email. (Sydney is just a "little" busy at the moment and as my house is 10min from olympic stadium....) Anyways.. back to the picture.. What everyone seems to have missed here is:
I am getting scans to port 161/tcp from the scanners port 1234 . I checked the etc/services file port 1234 is search agent for Infoseek and 161 is snmp.
Port 161/UDP is snmp... SNMP does not use TCP. I'd guess that there is either a new trojan "doing the rounds" or that someone you know has emailed you a trojanised exe configured to run on port 161 in the hope that you'd run it... I have attached a common list of trojan ports if anyone else is interested. Cheers Nix BTW: I have changed email addresses from nix@cotse.com to aid in sorting email, hope it doesn't confuse anyone... :-P~~ At 08:07 PM 14/09/2000, you wrote:
bolo@lupa.de started typing into the keyboard and wrote:
snmp version 1 and 2 is available for linux although not installed by
default,
so an attacker can not leak information out of your linux system if you didn't install snmp.
Well thanks for the info and I already checked my installation and thank god found that it is not installed.
semat started typing into the keyboard and wrote:
Oh and also one other thing you can do is to set certain directories that should not change to neing read-only for example /sbin /bin /usr/bin /lib /dev with chattr +i <directory> if you don't make alot of changes in etc you can also set it read-only and remove it whenever you have to make changes.
I am considering this yet but /dev part does not sound correct to me what about the hard disk access that is done thru trusted users and services. Correct me if I am wrong but the /dev access should be as I understand it thru the use of groups ie disk or video or dialout.
-- Togan Muftuoglu toganm@turk.net --snip--
Peter Nixon Senior Security Consultant ITAC: Leaders in IT security http://www.itaudit.com.au mailto:petern@itaudit.com.au DISCLAIMER: The information contained in this email message and in any annexure is confidential to the recipient and may contain privileged information. If you are not the intended recipient, please advise us immediately by return email (or telephone our Head Office on +61 2 6251 8585) and delete the message along with any annexure. You should not disclose, copy or otherwise use the information contained in the message or any annexure. Any views expressed in this email are those of the individual sender except where the sender specifically states them to be the views of ITAC.