Mailinglist Archive: opensuse-security (636 mails)

< Previous Next >
Re: [suse-security] server-check
  • From: Thomas Lamy <Thomas.Lamy@xxxxxxxxxx>
  • Date: Sat, 10 Feb 2001 12:37:40 +0100
  • Message-id: <656F04F343FC25409463829A15B5FDDC53F6@xxxxxxxxxxxxxxxxxxxxx>


> -----Urspr√ľngliche Nachricht-----
> Von: Togan Muftuoglu [mailto:toganm@xxxxxxxx]
> Gesendet: Samstag, 10. Februar 2001 11:55
> An: suse-security@xxxxxxxx
> Betreff: Re: [suse-security] server-check
>
>>On Sat, Feb 10, 2001 at 11:14:17AM +0100, Raffy wrote:
>> Hey,
>>
>> > Port State Service
>> > 22/tcp open ssh
>> > 25/tcp open smtp
>> > 37/tcp open time
>>
>> Are you sure you need this???
>I am using ssh and smtp=20
Then you should close down "time" to the local network

>> > 12345/tcp open NetBus
>> > 12346/tcp open NetBus
>> > 31337/tcp open Elite
>>
>> Nice. As reported earlier on this list. Unplug your machine from the
net.
>> Very possible you were hacked!!!!
>
>Now I need more than aspirin
>
>>
>> Check what is running behind 12345 with lsof and netstat=A8!!!
>
>nothing
>
>I did fuser -n 12345
> fuser -n 12346
>
>netstat -aenp
>
>There is nothing running for these or am I running these command wrong
>
No, it's just your binaries are swapped with those from the root-kit, and
these hide themselves... Get those binaries from a safe machine (better
CD-ROM) into a temporary directory (for forensic analysis, do not overwrite
any binaries nor reboot the machine!), and try it again with those safe
binaries. You may also do an "rpm --verify -a > /tmp/some/file" to check the
md5-hashes of all installed packages, to see if and which binaries on your
sytem have been replaced by the attacker's root-kit.

Regards,
Thomas

< Previous Next >
Follow Ups