[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: am I hacked?

On Sun, 31 Oct 2004 16:59:12 +0100, Arthur de Jong wrote:

> On Sun, 2004-10-31 at 17:16 +0200, Haim Ashkenazi wrote:
>> for a few days now I see in the logs of my firewall (debian/stable)
>> entries about someone trying to connect to my SSH server with several
>> users (root, test, mysql, etc..) without success. today I saw an entry
>> which alarmed me:
>> Oct 31 14:37:17 coltrane sshd[17927]: Bad protocol version identification 'GNUTELLA CONNECT/0.6' from
> This is probably what you would see if someone advertised a gnutella
> host with ip (or whatever your server's ip is) and port 22.
> Noting to worry about.
>> running chkrootkit (0.43) I got this surprise (the short version):
>> parker:~/src/rkhunter# chkrootkit  lkm
>> ROOTDIR is `/'
>> Checking `lkm'... You have    36 process hidden for readdir command
>> You have    36 process hidden for ps command
>> Warning: Possible LKM Trojan installed
> chkrootkit is know to sometimes produce false positives but these
> generally don't show up on repeated calls. There was a problem once with
> an incompatible libc or somesuch that could explain this (maybe see
> http://bugs.debian.org/chkrootkit).
thanx, I was only concern about the log in my server and what you
suggested seems to be the answer. I'm aware of chkrootkit's false positive
errors, (although I'm used to get them on FreeBSD).


Reply to: