hi ya steve
do the lsof and netstat thing
and am curious....
try:
egrep -i "failed|failure|refused|not allowed|illegal
port|blocked|denied|passwd"\
/var/log/messages*
try: last, w, who, tooo
check the binaries tooo...
top, ps, ls, last, w, who, netstat, passwd, login, etc...
have fun
alvin
am beginning to think this (untested) script might be useful..
especially if one hates getting daily tripwire reports that
are not necessarily true "warning/danger" emails...
> > #!/bin/sh
> > #
> > # Example script to check binaries...( untested )
> > #
> > #
> > LST1="/etc/passwd /etc/shadow /bin/login /usr/bin/passwd"
> > LST2="/bin/ls /usr/bin/top /usr/bin/w /usr/bin/who /usr/bin/last"
> > LST3="/bin/ps /bin/netstat /sbin/ifconfig /sbin/route"
> > LIST="$LST1 $LST2 $LST3"
> > #
> > # Initialize
> > #
> > if [ $1 eq "-init" ] ; then
> > sum=`tar -cf - $LIST | sum`
> > echo "$sum" > /Some_Secure_place/check_sum.txt
> > fi
> > #
> > res=cat /Some_Secure_place/check_sum.txt
> > #
> > #
> > check=`tar -cf - $LIST | sum`
> > #
> > if [ $res != $check ]; then
> > mail -s "Binaries been Modified"
[EMAIL PROTECTED]
> > < /dev/null
> > # or send a msg to a pager...etc..etc..
> > fi
> > #
> > # end of file
> >
>
On Wed, 27 Sep 2000, Steve Juranich wrote:
> Well, I wasn't paying a whole lot of attention and I had every unnecessary
> port closed... or so I thought. I was still running the portmapper. So
> when I ssh'd home today and nmapped myself, a couple of mysterious processes
> popped up.
>
> To begin with: I nmapped my box and saw, much to my dismay:
>
> Port State Protocol Service
> 22 open tcp ssh
> 111 open tcp sunrpc
> 515 open tcp printer
> 1527 open tcp tlisrv
> 6000 open tcp X11
>
> As soon as I killed the portmapper, port 111 (the portmapper) and port 1527
> (the mystery process) both died. Then later today, I ssh'd home again and
> saw:
>
> Port State Protocol Service
> 22 open tcp ssh
> 515 open tcp printer
> 2027 open tcp shadowserver
> 6000 open tcp X11
>
> Then, by looking through /var/log/auth.log, I see that every morning at
> around 7:35, three sessions are being opened. Two for user 'news' by
> (uid=0) and one for user 'nobody' also by (uid=0).
>
> I plan on removing nntp from my box immediately, since I don't use my box as
> a server in any way. Can anybody please explain to me what's going on?
> Has my box been compromised? What do I do?
>
> Copious thanks in advance for any help.
>
> ----------------------------------------------------------------------
> Stephen W. Juranich [EMAIL PROTECTED]
> Electrical Engineering http://students.washington.edu/sjuranic
> University of Washington http://rcs.ee.washington.edu/ssli
>
>
>
> --
> Unsubscribe? mail -s unsubscribe [EMAIL PROTECTED] < /dev/null
>
