to the best of my knowledge the services you mentioned are almost all passive. even those like htdig shouldn't generate this sort of behaviour.
there are many others which could : nmap, amap, pnscan to name a few ----- Original Message ----- From: "DSC Siltec" <[EMAIL PROTECTED]> To: <debian-user@lists.debian.org> Sent: Thursday, April 25, 2002 5:43 PM Subject: Newbie and scan attack > I have a bit of a problem: I just installed Woody on > a dual-boot box, got KDE and all up and running, and > very soon found that I was losing my connection. > > I inquired as to why, and I was told I was being cut off > because my computer was scan-attacking the ISP proxy server. > > One scan attack attacked my proxy server's proxy port, from 1031,1032, > 1033,1034, 1035... and expired about 8 minutes later. > > Anyhow, I had a bunch of junk on the system that I probably > didn't need -- portmap, htdig, roxen, wwwoffled, and apache are a few > of the items -- and I went ahead and removed them. Others, like lpd, I > don't know how to remove. When I ran netstat -punta, with my network > disconnected, > I found a bunch of reports from htdig (open/close). > > I'm wondering if that was the source of the problem, or if I have > been taken over by a remote operator, and how I can clean, then secure, > my > system. > > Is there anything that hit this particular list server, specifically > (also), > because I had been a subscriber -- and every so often a piece of trash > mail > comes through, and it makes me wonder if there was some kind of an > automated > virus that hit me. > > Aside from that, other things I noticed: getty runs tty2-tty6 (Bash > runs tty1) whenever I have K running -- and I wonder if that is perhaps > initiating the attack; I also see miniserv.pl, and proftpd; I wonder if > I need those. > > klisa and inetd both also make internet accesses. When I run netstat > -nlp, I see that ksmserver is listening, artsd, and ssh-agent are also > running. So are my truetype servers Xfs,Xfs-xtt, and the X server, lpd, > and KDEinit. > > I also have a windows system -- and, sometimes using the same network > connection [manual plug-over] a macintosh, and it is possible that the > attacks were coming through one of those. But the Windows system has a > good firewall "ZoneAlarm" that I can use and understand [I don't yet > understand the Linux one] and McAfee antivirus with autoupdate. > > > When you reply, please cc: me at [EMAIL PROTECTED] I nominally removed > myself from the list server -- it doesn't seem to have worked, but it > might remove me at any time. > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
