On Saturday 16 September 2006 10:41, Tage Danielsen wrote:
Yes I am running vmware and windows with bridges nics
So what's upstream? What router is in front of this machine? Is it secure? Because the windows machine is listening to the world.
The windows machine is not listening to the world, except 904
Port 904 is listened to by xinetd on your linux machine, not your windows virtual machine. Could it be the vmware console?
Nobody can access the syslogd outside from the world now.
The point is that through one of the services you have running on this machine that accept connections from anywhere (samba, something you are running in apache or whatever) you have been hacked syslogd is not supposed to be running on your machine at all. SUSE uses syslog-ng, not syslogd. You have a rootkit on your machine, and it is not a good idea to keep using it I would suggest a reinstall, and before you put the machine back on the internet, make sure all security updates are installed, and go through the services you are offering on this machine and make sure they are all secure (and needed. Running samba against the internet is not a very good idea) At the moment there is no evidence that whoever hacked your machine has root, so it may be that it's just some "remote execute commands" hole in some web service, but it's still not advisable to keep running the machine as if nothing happened and just plug things up with a firewall. You already have malicious code on your machine, and you have no idea what it's told to do