Re: Break-in? /usr/lib/telnetd, port 1037
* Kent West (westk@nicanor.acu.edu) spake thusly:
> Noah Meyerhans wrote:
...
> >Having telnetd listening on port 1037, if in fact it is, is probably not
> >a good thing. Have you actually tried telnetting to that port ('telnet
> >localhost 1037')?
>
> Yes, and I'm able to login via that port.
>
> >Does 'netstat -tlnp' indicate that the process using
> >that port is actually in "LISTEN" state?
>
> chanslor[westk]:/home/westk> sudo netstat -tlnp
> Password:
> Active Internet connections (only servers)
> Proto Recv-Q Send-Q Local Address Foreign Address
> State PID/Program name
...
> tcp 0 0 0.0.0.0:1037 0.0.0.0:*
> LISTEN 456/inetd
What's in /etc/services for port 1037? Who else has r00t on the
box and are you sure they didn't do that?
Anyway, if you believe you've been hacked,
1. If it's not a mission-critical box and you're interested in doing
a post-mortem: sync the filesystems and pull the power cord. Take
out the disk, mount it [noexec] on a known good box, then see
what's in there.
2. If it's a mission-critical box: fdisk, mkfs, reinstall. This is
faster than trying to fix things.
EXPN: it is possible to insert a module into the running kernel which
will modify /proc et al. so that ps, netstat, ls etc. will not show
certain processes/files/connections. IOW you cannot trust *any* program
on a hacked box, that's why you need a known good box to do postmortem
on. It is also possible to intercept shutdown and wipe out all traces
of intrusion / your whole HD. Hence the advice to pull the power cord.
Dima
--
Well, lusers are technically human. -- Red Drag Diva
Reply to: