Joel Lopez said: > Hi, > > I seem to be having a lot of traffic on port 6667. I looked around and it > seems that port is for IRC. I guess I was hacked and someone installed it > on my machine. > > How would I go about finding out where it's being started and how to close > that port?
first, backup any data that is important to you. next, unplug the machine from the network (or do this first depending on your setup) next, install/run lsof to see what files are open. this can help track down rogue stuff. your best off copying a lsof binary from another system and installing it. The last rootkit I encountered had trojaned copies of many programs including ps, but lsof was unaffected, your experience may vary. beware, if you have been "hacked" and perhaps have had a rootkit install it can be a VERY difficult process for a newbie to recover without a reinstall. I had the fortune of being able to work on a machine that was rootkit'd last year and it took probably 45 minutes to flush out most traces of it, and the attackers did not get in afterwards. I still reccomended to the box owner that he reinstall the system asap, which he did a few months later. The process was quite entertaining. unless you really know what your doing, e.g. know what processes your supposed to be running, and can notice suspcious activity and how to track it down your best off backing up & reinstalling. Or finding someone who can do this for you, perhaps you know someone personally that you can trust to help you. the big thing is take the machine off the network. if an attacker notices your actively trying to fight them, they may take drastic measures. I was first "hacked" back in I think 1997, I responded immediately by doing a buncha stuff, the attacker triggered an alarm the next morning(I was 1500 miles away), I was doing some traffic sniffing when he firewalled my ip from the system. I wasn't very experienced back then but we were lucky, since another system that same guy was suspected of "hacking" got it's drives wiped. My system suffered no noticable, permanent damage. nate -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
