-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 A long time ago, in a galaxy far, far way, someone said...
> Use "lsof -i | grep <port>" to find out exactly what binary is running > on that port. Then you can find out where it's at. Are there any > other hidden utils, etc? I'd also do a "netstat -an" and see what is > connected to your mystery port. Find out where your attacker is coming > from. That, of course, assumes the 'netstat' and 'lsof' binaries haven't been trojaned to hide the tools used by the attacker. > Thus spake Steve Juranich ([EMAIL PROTECTED]): > > > Well, I wasn't paying a whole lot of attention and I had every unnecessary > > port closed... or so I thought. I was still running the portmapper. So > > when I ssh'd home today and nmapped myself, a couple of mysterious processes > > popped up. > > > > To begin with: I nmapped my box and saw, much to my dismay: > > > > Port State Protocol Service > > 22 open tcp ssh > > 111 open tcp sunrpc > > 515 open tcp printer > > 1527 open tcp tlisrv > > 6000 open tcp X11 According to nmap tcp port 1527 is used by Oracle so unless you're running an SQL server I would say that's a back door they're getting in with. > > As soon as I killed the portmapper, port 111 (the portmapper) and port 1527 > > (the mystery process) both died. Then later today, I ssh'd home again and > > saw: > > > > Port State Protocol Service > > 22 open tcp ssh > > 515 open tcp printer > > 2027 open tcp shadowserver > > 6000 open tcp X11 > > > > Then, by looking through /var/log/auth.log, I see that every morning at > > around 7:35, three sessions are being opened. Two for user 'news' by > > (uid=0) and one for user 'nobody' also by (uid=0). The user 'nobody' should not be loggin in. I think it would be good to see a snippet of the /var/log/auth.log, particularly the ones where their entry get's logged. > > I plan on removing nntp from my box immediately, since I don't use my box as > > a server in any way. Can anybody please explain to me what's going on? > > Has my box been compromised? What do I do? > > > > Copious thanks in advance for any help. There are several things I would do: * It looks like the computer's at a university - it *might* be prudent to tell IT staff in charge of computers at the university know that your computer was broken into. Just in case someone (ie FBI) comes knocking to their door/your door wondering why your computer is attacking someone else's... * Try to find a way to track who is connecting to your computer at 7:35 in the morning with a packet sniffer - either with another computer on the same hub or on your computer with a tcpdump binary you prepared yourself. * If you think someone is doing bad stuff with your computer law enforcement should know. - -- - ---------------------------------------------------------------------- Phil Brutsche [EMAIL PROTECTED] GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC GPG key id: 50DE1CFC GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.1 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE50oVm/ZTSZFDeHPwRAigNAJ98PzBClGynDqLyyPVU2Uk6pt7WEwCeJnI2 a+G5EsyV3xvNTWupJwFh1q8= =/ebh -----END PGP SIGNATURE-----
