-----Ursprüngliche Nachricht----- Von: Togan Muftuoglu [mailto:toganm@turk.net] Gesendet: Samstag, 10. Februar 2001 11:55 An: suse-security@suse.com Betreff: Re: [suse-security] server-check
On Sat, Feb 10, 2001 at 11:14:17AM +0100, Raffy wrote: Hey,
Port State Service 22/tcp open ssh 25/tcp open smtp 37/tcp open time
Are you sure you need this??? I am using ssh and smtp=20 Then you should close down "time" to the local network
12345/tcp open NetBus 12346/tcp open NetBus 31337/tcp open Elite
Nice. As reported earlier on this list. Unplug your machine from the net. Very possible you were hacked!!!!
Now I need more than aspirin
Check what is running behind 12345 with lsof and netstat=A8!!!
nothing
I did fuser -n 12345 fuser -n 12346
netstat -aenp
There is nothing running for these or am I running these command wrong
No, it's just your binaries are swapped with those from the root-kit, and these hide themselves... Get those binaries from a safe machine (better CD-ROM) into a temporary directory (for forensic analysis, do not overwrite any binaries nor reboot the machine!), and try it again with those safe binaries. You may also do an "rpm --verify -a > /tmp/some/file" to check the md5-hashes of all installed packages, to see if and which binaries on your sytem have been replaced by the attacker's root-kit. Regards, Thomas