On 07-Jun-01 Chris Quinn wrote:
It's very common for a box that's been broken into to run some service on a non-standard port, to allow login to the intruder, preferably without showing up in records used by w(1) and last(1), or logging via syslog.
Robert:
Thank you for your reply. You are correct: I did some more snooping and was able to determine that a SSH daemon (an older version than I have running on port 22) is answering on port 31965. I have tried "netstat -anp | grep 31965" but that provides no information. It looks like I have some work to do this weekend.
Also you can use lsof to list the processes/demons occupying one port: lsof -i TCP:31695 This should show you the command running on this port, the user and the node name (port or port definition from /etc/services).
Despite all of the helpful replies from list members, I remain confused about how this occurred. Because this machine is located on my home LAN, I believe that a local compromise is unlikely.
Not if you have a nosey daughter or son (or a little brother/sistah...) ;-)) But serious: If you haven't configured any packet filtering/firewalling and have used some outdated demons with lots of vulnerabilities (cron, lpd, at, named, man, etc...etc.) or bad (i.e. short, easy-to-guess) passwords (specially for root), together with an old kernel (2.2.13 had troubles with certain networking issues), it�s not very confusing that your home machine has been hijacked. Most would-be attackers scan whole subnets for easy prey (like weakly secured home PCs with vulnerable services) and then go and try to "own" them. Of course, from a system cracker's view your system is no "big thing", but even (comparably) low-end home computers can be transformed into willing zombie servants by crackers trying to start distributed denial-of-service attacks with hundreds of zombies against one poor victim. The morale is that *every* interconnected computer system of *any* kind is a potential target for attacks and should therefore be secured before taking it online, regardless wether it�s a private lil' box or a multi-processor web server hanging off a 2MBit line.
Chris Quinn
---
Boris Lorenz