Use "lsof -i | grep <port>" to find out exactly what binary is running on that port. Then you can find out where it's at. Are there any other hidden utils, etc? I'd also do a "netstat -an" and see what is connected to your mystery port. Find out where your attacker is coming from.
Robert Thus spake Steve Juranich ([EMAIL PROTECTED]): > Well, I wasn't paying a whole lot of attention and I had every unnecessary > port closed... or so I thought. I was still running the portmapper. So > when I ssh'd home today and nmapped myself, a couple of mysterious processes > popped up. > > To begin with: I nmapped my box and saw, much to my dismay: > > Port State Protocol Service > 22 open tcp ssh > 111 open tcp sunrpc > 515 open tcp printer > 1527 open tcp tlisrv > 6000 open tcp X11 > > As soon as I killed the portmapper, port 111 (the portmapper) and port 1527 > (the mystery process) both died. Then later today, I ssh'd home again and > saw: > > Port State Protocol Service > 22 open tcp ssh > 515 open tcp printer > 2027 open tcp shadowserver > 6000 open tcp X11 > > Then, by looking through /var/log/auth.log, I see that every morning at > around 7:35, three sessions are being opened. Two for user 'news' by > (uid=0) and one for user 'nobody' also by (uid=0). > > I plan on removing nntp from my box immediately, since I don't use my box as > a server in any way. Can anybody please explain to me what's going on? > Has my box been compromised? What do I do? > > Copious thanks in advance for any help. > > ---------------------------------------------------------------------- > Stephen W. Juranich [EMAIL PROTECTED] > Electrical Engineering http://students.washington.edu/sjuranic > University of Washington http://rcs.ee.washington.edu/ssli > > > > -- > Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] < /dev/null :wq! --------------------------------------------------------------------------- Robert L. Harris | Micros~1 : Senior System Engineer | For when quality, reliability at RnD Consulting | and security just aren't \_ that important! DISCLAIMER: These are MY OPINIONS ALONE. I speak for no-one else. FYI: perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);'
