I'm not sure, but the 60400 port may be the Trin00 stuff... I got hacked
with that one, & I never did find the daemon that was running... It looked
a liitle to me like the script is set up to run periodically, maybe by cron
- so check your cron.hourly, etc for something that'll run things that
shouldn't be there... I finally found a new copy of netcat in my /usr/bin
directory, & removed it...
I'm still not sure how the guy broke into my machine, but however he did it,
it was pretty transparent to me. The only reason I realized he had done it
was because the lazy goof didn't bother to change the scripts to point at
what was _really_ my outgoing interface, causing my firewall to catch it &
spew tons o' logs...
Good luck... Maybe you can put port 60400 & the others specifically into
hosts.deny
ie: 60400:ALL
> -----Original Message-----
> From: Brad [SMTP:[EMAIL PROTECTED]]
> Sent: Sunday, May 14, 2000 9:07 PM
> To: [EMAIL PROTECTED]
> Subject: there's a hacker!
>
> Dear all,
> I am a newbie as a administrator of company's workstations.
> Now I find(use "netstat") someone use Scorpio(one of workstaions) as a
> tcp proxy server at port 60400, but I don't know how to stop
> it.I used the "ps" command, it displayed as follows:
> UID PID PPID C STIME TTY TIME CMD
> root 0 0 0 Jul 02 ? 0:09 sched
> root 1 0 0 Jul 02 ? 1:33 /etc/init -
> root 2 0 0 Jul 02 ? 0:57 pageout
> root 3 0 0 Jul 02 ? 1213:20 fsflush
> root 268 233 0 Jul 02 ? 1:15 /usr/openwin/bin/Xsun :0
> -nobannd
> root 135 1 0 Jul 02 ? 0:24 /usr/sbin/inetd -s
> root 264 1 0 Jul 02 ? 0:00 /usr/lib/saf/sac -t 300
> root 115 1 0 Jul 02 ? 0:11 /usr/sbin/rpcbind
> root 107 1 0 Jul 02 ? 2:57 /usr/sbin/in.routed -q
> root 117 1 0 Jul 02 ? 0:00 /usr/sbin/keyserv
> root 207 196 0 Jul 02 ? 0:00 lpNet
> root 125 1 0 Jul 02 ? 0:00 /usr/sbin/kerbd
> root 123 1 0 Jul 02 ? 0:02 /usr/lib/netsvc/yp/ypbind
> -broadt
> daemon 138 1 0 Jul 02 ? 0:00 /usr/lib/nfs/statd
> root 140 1 0 Jul 02 ? 0:00 /usr/lib/nfs/lockd
> root 163 1 0 Jul 02 ? 0:00 /usr/lib/autofs/automountd
> root 167 1 0 Jul 02 ? 0:01 /usr/sbin/syslogd
> root 186 1 0 Jul 02 ? 1:23 /usr/sbin/nscd
> root 220 1 0 Jul 02 ? 0:00 /usr/sbin/vold
> root 180 1 0 Jul 02 ? 0:47 /usr/sbin/cron
> root 196 1 0 Jul 02 ? 0:00 /usr/lib/lpsched
> root 265 1 0 Jul 02 console 0:00 /usr/lib/saf/ttymon -g -h
> -p sco
> root 18358 135 0 Dec 04 ? 0:00 in.telnetd
> root 211 1 0 Jul 02 ? 0:04 /usr/lib/utmpd
> root 233 1 0 Jul 02 ? 0:40 /usr/dt/bin/dtlogin
> root 261 1 0 Jul 02 ? 0:00 /usr/lib/nfs/mountd
> root 259 1 0 Jul 02 ? 0:29 /usr/lib/nfs/nfsd -a 16
> root 267 264 0 Jul 02 ? 0:01 /usr/lib/saf/ttymon
> root 8642 8629 0 Jan 21 ? 0:30 dtgreet -display :0
> root 8629 233 0 Jan 21 ? 0:00 /usr/dt/bin/dtlogin
> nobody 7925 135 0 Nov 30 ? 0:00 fs
> regine 18360 18358 0 Dec 04 pts/5 0:00 -csh
> root 8602 135 0 Jan 21 ? 0:00 rpc.ttdbserverd
> root 17993 135 0 0:00 <defunct>
> root 18764 1 0 Aug 30 ? 0:02 /usr/lib/sendmail -bd -q15m
> root 8631 1 0 Jan 21 ? 0:00 /usr/openwin/bin/fbconsole
> -d :0
> oscar 13463 1 0 Mar 21 ? 0:04 ftp mew.tcs
> root 7439 7419 0 08:42:13 pts/7 0:00 /usr/bin/ps -ef
> root 7417 135 0 08:12:59 ? 0:00 in.telnetd
> ccchu 4607 1 0 Mar 15 ? 0:00 fs
> guest 7419 7417 0 08:13:00 pts/7 0:00 -csh
> guest 7092 1 0 19:26:45 ? 2:18 sim.v2
>
> Does anybody knows how I can find the hacker ps,and stop
> it?
> thanks a lot.
> Brad
>
> --------------------------------------------------------------------------
> Brad Chun
> [EMAIL PROTECTED]
> "The best way to escape from your problem is to solve it."
> --------------------------------------------------------------------------
>
>
> --
> To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
> as the Subject.
--
To unsubscribe: mail [EMAIL PROTECTED] with "unsubscribe"
as the Subject.