Re: bad thing Re: Compromised-machine?? netbus-

Thu, 27 May 2004 23:09:44 -0700 

Alvin Oga wrote:

hi ya tripolar

On Thu, 27 May 2004, tripolar wrote:



What logs?



/var/log/{messages,syslog,debug,warn}



here are a few lines from "hit" list
time:May 27 21:22:29 in: out:eth1 port:12345 source:192.168.1.1 dest:81.53.*.* len:44 tos:0x00 protocol:tcp service:netbus
time:May 27 22:10:38 in: out:eth1 port:1234 source:192.168.1.1 dest:63.207.*.* len:40 tos:0x00 protocol:tcp service:subseven



it says subseven is running on your 192.168.1.1 box ... or something
that uses that default service name

if 192.168.1.1 is a windoze box ... it's been hacked/trojaned

if 192.168.1.1 is a deb box... why is subseven or equivalent running on it


        - how did it get there

        - how do you update your deb boxes ...
        ( if it is a deb box... time to rebuild or find somebody
        ( locally to figure out what is broken on your box

"google: subseven" and the first 2 links is what you need/want ...



what is the output of "netstat -nv"




netstat -nv only brought up two addresses- my isps mail servers



you have to have the cracker online at the time for netstat to show
who's using the machine ... and/or a lazy script kiddie will stay
on 24x7 ( and get caught )

you have to run netstat say every minute ... - exclude your own ip# and allowed ports and see who is left that using yuor box

c ya
alvin




here is part of /var/log/syslog- there are 7 requests from my machine over several minutes

May 28 00:34:32 fatboy kernel: IN= OUT=eth1 SRC=192.168.1.1 DST=81.53.*.* LEN=44 TOS=0x00 PREC=0x00 TTL=64 ID=49686 DF PROTO=TCP SPT=48961 DPT=12345 WINDOW=5808 RES=0x00 SYN URGP=0
May 28 00:45:04 fatboy -- MARK --
May 28 00:47:52 fatboy kernel: IN= OUT=eth1 SRC=192.168.1.1 DST=81.168.*.* LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=15482 DF PROTO=TCP SPT=23190 DPT=1234 WINDOW=0 RES=0x00 ACK RST URGP=0

This is a Debian-Sid machine. My guess is Operator errors :-( Probably too many to list. Hmmm checking out two websites about subseven and I only see windoze versions- hmmm maybe I have been using too much "WINE" and got myself into trouble?? Oh well, I installed this with 2.6 kernel and have debated whether or not I should have started with 2.4 kernel. Might be as good a time as any to reinstall :-)




--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to