Re: Compromised-machine?? netbus- request from my debian-sid machine to outside IP to port 12345
Alvin Oga wrote:
hi ya "quadpolar" :-)
On Thu, 27 May 2004, tripolar wrote:
I dont think so- The only thing I know of is firestarter (firewall). I
received some more messages the same except this time ports 1234 (
service subseven) but going to a different outside IP.
post your logs (unedited, except for ip# ) you are reading/interpretting
- you don't care that 100's of script kiddies are trying to make
1000's of attempts to get into your pc
- consider it a free audit of your systems
- if they got in ... you've got a serious, but solvable major
here are a few lines from "hit" list
time:May 27 21:22:29 in: out:eth1 port:12345 source:192.168.1.1
dest:81.53.*.* len:44 tos:0x00 protocol:tcp service:netbus
time:May 27 22:10:38 in: out:eth1 port:1234 source:192.168.1.1
dest:63.207.*.* len:40 tos:0x00 protocol:tcp service:subseven
what is the output of "netstat -nv"
netstat -nv only brought up two addresses- my isps mail servers:995
- you are looking for foreign address on whacky ports that have
established connections to your local pc
- if you cannot explain any of the those outside machines
connected to your pc... you've probably need to get comments
from the list "what does this line mean"
I had had many ports forwarded from hardware firewall/router (HFR) to
debian-sid machine because of certain programs ( which I have since shut
down )and then I removed all port forwarding rules from HFR to debian pc.
I will just keep an eye out on the hit list.
This didnt go through to the list the first time so here goes again.
Also since then I slowly opened 1 port at a time after starting 1 of the
programs. I see the requests leaving my machine again so I have tracked
down the culprit.