Am Donnerstag, 1. Januar 2004 20:47 schrieb Arjen de Korte:
Not likely a rootkit. You will find that you can stop it with 'rcnetwork stop eth0' and start it again with 'rcnetwork start eth0'. It's the service which handles you network card. Most rootkits will hide themselves by changing the output of the 'ps' command, so you're not likely to find a rootkit that way.
Well, that's the thing, that was puzzeling me. I've already had some experiences with rootkits, so finding something with ps I could not sort in was quite surprissing. Nevertheless, my homebox (SuSE 9.0) would not show such a process, even though I got a local LAN here. Stopping the network with rcnetwork stop to see what happens is not really a choice for my, as I do not have physicall access to the machine ;-).
From where did you check this? If you used an online scanning service, it
I checked it from home, using nmap (which isn't installed of the maschine in question). I thought it might be safer to check from outside.
could be that your ISP is filtering port 6667. It is commonly (ab)used for IRC and therefor a fairly well known vulnerability. Some ISP's don't want their customers to run servers, the only reason why you might need it. As an 'ordinary' user, you wouldn't be harmed by filtering. Check with your acceptable use policy of your provider.
Hm, haven't thought of this yet. I'll have to check this with our ISP, thanx for the advice. -- Patrick Ahlbrecht Systemadministration billiton internetservices direct phone: 0271 30386 19