does it mean my system was hacked
Hi my system is connected to network by DSL i do not know some time i found lot of activity in my system and when i checked the system each time i found this process sambit@linux:~ > ps -ef | grep find nobody 6612 6610 0 00:15 ? 00:00:00 su nobody -c /usr/bin/find / \( -fstype nfs -o -fstype NFS -o -fstype proc -o -fstype afs -o -fstype smbfs -o -fstype autofs -o -type d -regex '\(^/S.u.S.E.$\)\|\(^/mnt$\)\|\(^/cdrom$\)\|\(^/tmp$\)\|\(^/usr/tmp$\)\|\(^/var/tmp$\)\|\(^/var/spool$\)\|\(^/proc$\)' \) -prune -o -print root 6613 6590 0 00:15 ? 00:00:00 /usr/lib/find/frcode nobody 6614 6612 7 00:15 ? 00:00:09 /usr/bin/find / ( -fstype nfs -o -fstype NFS -o -fstype proc -o -fstype afs -o -fstype smbfs -o -fstype autofs -o -type d -regex \(^/S.u.S.E.$\)\|\(^/mnt$\)\|\(^/cdrom$\)\|\(^/tmp$\)\|\(^/usr/tmp$\)\|\(^/var/tmp$\)\|\(^/var/spool$\)\|\(^/proc$\) ) -prune -o -pri i checked my DSL Router log files also i found some information like this 01/23/2002 08:20:52 Unrecognized access from 211.219.231.67:2016 to TCP port 27374 01/23/2002 08:44:12 Unrecognized access from 64.231.9.185:3683 to TCP port 1080 01/23/2002 08:44:14 Unrecognized access from 64.231.9.185:3683 to TCP port 1080 01/23/2002 11:07:09 Unrecognized access from 61.79.232.158:3119 to TCP port 27374 01/23/2002 11:07:12 Unrecognized access from 61.79.232.158:3119 to TCP port 27374 01/23/2002 11:07:18 Unrecognized access from 61.79.232.158:3119 to TCP port 27374 What does it mean , each some one hackingmy system, if yes to what should i do. ..
-----Original Message----- From: sambit [mailto:sambit@pop.snet.net] Sent: 24. januar 2002 13:48 To: suse-security@suse.com Subject: [suse-security] does it mean my system was hacked [snipped] i checked my DSL Router log files also i found some information like this 01/23/2002 08:20:52 Unrecognized access from 211.219.231.67:2016 to TCP port 27374 01/23/2002 08:44:12 Unrecognized access from 64.231.9.185:3683 to TCP port 1080 01/23/2002 08:44:14 Unrecognized access from 64.231.9.185:3683 to TCP port 1080 01/23/2002 11:07:09 Unrecognized access from 61.79.232.158:3119 to TCP port 27374 01/23/2002 11:07:12 Unrecognized access from 61.79.232.158:3119 to TCP port 27374 01/23/2002 11:07:18 Unrecognized access from 61.79.232.158:3119 to TCP port 27374 What does it mean , each some one hackingmy system, if yes to what should i do. .. Hi Sambit! Looks like some trojan movement. The port is suspicious (default Sub7 port). However I?m not totally aware as to Sub7?s ability to run on Linux. Anyone? /Yarrel
sambit wrote:
Hi my system is connected to network by DSL i do not know some time i found lot of activity in my system and when i checked the system each time i found this process
sambit@linux:~ > ps -ef | grep find nobody 6612 6610 0 00:15 ? 00:00:00 su nobody -c /usr/bin/find / \( -fstype nfs -o -fstype NFS -o -fstype proc -o -fstype afs -o -fstype smbfs -o -fstype autofs -o -type d -regex '\(^/S.u.S.E.$\)\|\(^/mnt$\)\|\(^/cdrom$\)\|\(^/tmp$\)\|\(^/usr/tmp$\)\|\(^/var/tmp$\)\|\(^/var/spool$\)\|\(^/proc$\)' \) -prune -o -print root 6613 6590 0 00:15 ? 00:00:00 /usr/lib/find/frcode nobody 6614 6612 7 00:15 ? 00:00:09 /usr/bin/find / ( -fstype nfs -o -fstype NFS -o -fstype proc -o -fstype afs -o -fstype smbfs -o -fstype autofs -o -type d -regex \(^/S.u.S.E.$\)\|\(^/mnt$\)\|\(^/cdrom$\)\|\(^/tmp$\)\|\(^/usr/tmp$\)\|\(^/var/tmp$\)\|\(^/var/spool$\)\|\(^/proc$\) ) -prune -o -pri
that seems to be the updatedb for locate, it's started via cron every night. maybe this hangs around because of smbshares wich are disconnected or uncleanly umounted, also nfs maybe...
i checked my DSL Router log files also
i found some information like this
01/23/2002 08:20:52 Unrecognized access from 211.219.231.67:2016 to TCP port 27374 01/23/2002 08:44:12 Unrecognized access from 64.231.9.185:3683 to TCP port 1080 01/23/2002 08:44:14 Unrecognized access from 64.231.9.185:3683 to TCP port 1080 01/23/2002 11:07:09 Unrecognized access from 61.79.232.158:3119 to TCP port 27374 01/23/2002 11:07:12 Unrecognized access from 61.79.232.158:3119 to TCP port 27374 01/23/2002 11:07:18 Unrecognized access from 61.79.232.158:3119 to TCP port 27374
thats 'normal' subnetscanning for subseven (windows trojan). you can saftely ignore that if you don't have a windows box directly connected to the internet (or forwarded that port to windows ;) -- intraDAT AG http://www.intradat.com Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0 D - 60329 Frankfurt am Main Fax: +49 69-25629-256 Junk mail is war. RFCs do not apply.
participants (3)
-
sambit
-
Sven Michels
-
Yarrel