Mailinglist Archive: opensuse-security (363 mails)

< Previous Next >
Re: [suse-security] have I been invaded?
  • From: John Andersen <jsa@xxxxxxxxxxxxxx>
  • Date: Tue, 3 Jun 2003 15:45:58 -0800
  • Message-id: <200306031545.58498.jsa@xxxxxxxxxxxxxx>
On Tuesday 03 June 2003 14:05, Richard wrote:
> My logs showed that I was constantly being scanned for ports 80, and the
> other windows based ports like 443 and 1434, . Also I saw a lot of
> scans by Korean and Chinese URL's hitting my higher ports like 27374.
> One day I noticed things were not quite right. It;s hard to describe
> what was going on, so I downloaded and fired up the chkrootkit app and
> sure enough, I had been invaded.

If you saved your config files from the old instalation, check your
sshd_config to see if you had enabled ssh1.

I have heard of 3 different suse 7.3 boxes rooted in the last 4 weeks
and the only thing in common was ssh1 available from the net.

John Andersen

< Previous Next >
Follow Ups