On Wed, Feb 26, 2003 at 04:55:50PM -0800, Joel Lopez wrote:
> I seem to be having a lot of traffic on port 6667. I looked around and it
> seems that port is for IRC. I guess I was hacked and someone installed it
> on my machine.
>
> How would I go about finding out where it's being started and how to close
> that port?
Assuming you're comfortable tackling this--if you're not totally familiar
with your disk layout and the system components, the "general rule" is to
save your data and reload.
First, take yourself off the WAN. Muy pronto. If you're really hacked,
you don't want to serve as a vector for other attacks.
I presume you're running iptables; if so, add a rule to block that port.
If not, do so. Note that one good side effect of blocking outbound
connections is that some rootkits can't "phone home" once they've broken
into the system and fail to clean up after themselves. I've been able
to pinpoint vector sources in the past from such debris.
The places programs can be started at system startup are:
/etc/rc.d
/etc/inittab
cron
anacron
at
These constitute the timed and/or automatic program start points.
But anything on the system can be infected or trojaned, so even if you
catch contamination in these, other commands--ifconfig, for instance--when
executed can cause not only startup of trojans, or have been replaced
with trojans, but also can reinfect anything you've already cleaned.
Look in /tmp and /usr/tmp. There is often detritus left over from rootkits.
Get a copy of chkrootkit and run it. Clean up items you're warned about.
Replace compromised files from system distribution CDs, downloaded
RPMs, or self-built objects *if they've been built on another system*.
Your compiler and/or linker may be compromised.
Look at the timestamps for files identified as compromised. Some,
not all, of these files will retain the modification time of the crack.
Scan your system for anything with modification times that match these.
Look for anything in system directories with extended attributes set
(lsattr). I don't know of anything distributed from RedHat that uses
extended attributes--suspect any such files as being compromised.
Look especially for changes to /etc/ld.so.conf, and any added and/or
changed shared libraries.
For future use, save at least the following commands on a floppy or
another system; use them instead of commands on the compromised system
while investigating:
ifconfig
ksh
login
ls
passwd
ps
sh
tar
rpm
Other common commands, of course, are useful as well, but these will
let you get in and start unpacking clean commands.
Good luck...
--
Dave Ihnat
[EMAIL PROTECTED]
--
redhat-list mailing list
unsubscribe mailto:[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
