Mailinglist Archive: opensuse-security (757 mails)

< Previous Next >
Re: [suse-security] does it mean my system was hacked
  • From: Sven Michels <smichels@xxxxxxxxxxxx>
  • Date: Thu, 24 Jan 2002 15:13:39 +0100
  • Message-id: <3C501693.D6F2A094@xxxxxxxxxxxx>
sambit wrote:
>
> Hi my system is connected to network by DSL
> i do not know some time i found lot of activity in my system and when
> i checked the system each time i found this process
>
> sambit@linux:~ > ps -ef | grep find
> nobody 6612 6610 0 00:15 ? 00:00:00 su nobody -c /usr/bin/find /
> \( -fstype nfs -o -fstype NFS -o -fstype proc -o -fstype afs -o
> -fstype smbfs
> -o -fstype autofs -o -type d -regex
> '\(^/S.u.S.E.$\)\|\(^/mnt$\)\|\(^/cdrom$\)\|\(^/tmp$\)\|\(^/usr/tmp$\)\|\(^/var/tmp$\)\|\(^/var/spool$\)\|\(^/proc$\)'
> \) -prune -o -print
> root 6613 6590 0 00:15 ? 00:00:00 /usr/lib/find/frcode
> nobody 6614 6612 7 00:15 ? 00:00:09 /usr/bin/find / (
> -fstype nfs -o -fstype NFS -o -fstype proc -o -fstype afs -o -fstype
> smbfs -o -fstype autofs -o -type d -regex
> \(^/S.u.S.E.$\)\|\(^/mnt$\)\|\(^/cdrom$\)\|\(^/tmp$\)\|\(^/usr/tmp$\)\|\(^/var/tmp$\)\|\(^/var/spool$\)\|\(^/proc$\)
> ) -prune -o -pri

that seems to be the updatedb for locate, it's started via cron
every night.
maybe this hangs around because of smbshares wich are disconnected
or uncleanly umounted, also nfs maybe...



> i checked my DSL Router log files also
>
> i found some information like this
>
> 01/23/2002 08:20:52 Unrecognized access from 211.219.231.67:2016 to TCP
> port 27374
> 01/23/2002 08:44:12 Unrecognized access from 64.231.9.185:3683 to TCP
> port 1080
> 01/23/2002 08:44:14 Unrecognized access from 64.231.9.185:3683 to TCP
> port 1080
> 01/23/2002 11:07:09 Unrecognized access from 61.79.232.158:3119 to TCP
> port 27374
> 01/23/2002 11:07:12 Unrecognized access from 61.79.232.158:3119 to TCP
> port 27374
> 01/23/2002 11:07:18 Unrecognized access from 61.79.232.158:3119 to TCP
> port 27374

thats 'normal' subnetscanning for subseven (windows trojan).
you can saftely ignore that if you don't have a windows box
directly connected to the internet (or forwarded that port
to windows ;)

--
intraDAT AG http://www.intradat.com
Wilhelm-Leuschner-Strasse 7 Tel: +49 69-25629-0
D - 60329 Frankfurt am Main Fax: +49 69-25629-256
Junk mail is war. RFCs do not apply.

< Previous Next >
This Thread
References