On Tue, 2003-06-03 at 14:24, Eduard Avetisyan wrote:
Hi Richard,
Sorry, can't get any useful hint for your routing table. But I'd very much like to know more about the rootkit and the hole used for getting in your machine. As far as I understood, you're running a firewall, so shouldn't be too easy for an intruder? (read: I'm running an 8.2 too, and without a decent firewall, so would like to know where to expect a hit from ,-) Maybe a fix for it can make into the next security update?
Good luck Ed
I went surfing bareback is what caused my problem! I'm on cable and always playing with my machine. Occasionally I would stop and clear Shorewall to find out why my machine wouldnt let me or my other subhosts get on the net. It was probably during one of those excursions that it happened. If you dont have a good firewall you have probably been hit already. My logs showed that I was constantly being scanned for ports 80, and the other windows based ports like 443 and 1434, . Also I saw a lot of scans by Korean and Chinese URL's hitting my higher ports like 27374. One day I noticed things were not quite right. It;s hard to describe what was going on, so I downloaded and fired up the chkrootkit app and sure enough, I had been invaded. Following the advice of others, I reformatted and reinstalled everything. Not a fun process as I had a lot of neat things like Mplayer working perfectly. After saving my /home stuff to a cd I did the reformatting and reinstalling. Now I am very carefull to unplug the cable modem whenever I decide to kill the firewall. I also run the chkrootkit thing periodically. As I am a long way from being a security expert I have learned to be careful and seek advice from those who know a lot more than I. I have also been a lot more cautious. I periodically go on GRC.com and let them scan a few ports and they show that the ports they look at are in stealth mode. Bottom line, get a good- easy Firewall and be carefull what you allow in. I like shorewall cause it is easy to use and the support by the author is outstanding as is the documentation. I find SuSEfirewall to confusing and I really dont want to know how to set up the iptables. Shoewall does the translation for me. As to my current problem, I'm not sure my machine has been invaded but the routing gateway is different so I am looking for anyone that can tell me what is going on. It may be that when I DHCP my isp for my IP they are changing it but I sure would like to know. From all I can see using online port scanners, my box is fairly well secured. I hope my rambling did not get to off topic and answered your questions. Give a look at www.blackcode.com. Regards, Richard