[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: port 6051: hacked?

On Fri, Sep 06, 2002 at 04:28:13PM +0200, Ramin Motakef wrote:
> A followup from myself:
> First,
> thanks for all the answers. 
> To summarise:
> neither lsof, nor netstat or fuser gave a sign that any program on my
> server listens on that port. I have aide running on this machine so i
> am quite sure that the the programs are intact. 
> >From what Kristof Goossens and Nikolay Hristov say, i guess there is a
> firewall at the provider, that is blocking the port, which seems to be
> used by arcserve.
> As for "Why so many open ports?", well, i turned the firewall off for
> scanning :-)
> I am now quite shure that there was no breakin, but will follow the
> suggestion by Jean-Francois Dive an let a sniffer run...

you really almost *never* can be 100% sure. The latest root kit are running
in the kernel, dont need to change any command as they hide information
at the system call level. Some are really difficult to see, they dump
the binary on the disk only when they need them then erase them etc..
etc..etc.. honestly, i think the rootkit technology is far in front of
the forensic and worst detection tools commonly available so, my recommendation,
maximum paranoia ..

> Thanks again,
> Ramin
> -- 
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org


-> Jean-Francois Dive
--> jef@linuxbe.org

  There is no such thing as randomness.  Only order of infinite
  complexity.  - _The Holographic Universe_, Michael Talbot

Reply to: