I'm afraid I've been cracked.
Well, I wasn't paying a whole lot of attention and I had every unnecessary
port closed... or so I thought. I was still running the portmapper. So
when I ssh'd home today and nmapped myself, a couple of mysterious processes
popped up.
To begin with: I nmapped my box and saw, much to my dismay:
Port State Protocol Service
22 open tcp ssh
111 open tcp sunrpc
515 open tcp printer
1527 open tcp tlisrv
6000 open tcp X11
As soon as I killed the portmapper, port 111 (the portmapper) and port 1527
(the mystery process) both died. Then later today, I ssh'd home again and
saw:
Port State Protocol Service
22 open tcp ssh
515 open tcp printer
2027 open tcp shadowserver
6000 open tcp X11
Then, by looking through /var/log/auth.log, I see that every morning at
around 7:35, three sessions are being opened. Two for user 'news' by
(uid=0) and one for user 'nobody' also by (uid=0).
I plan on removing nntp from my box immediately, since I don't use my box as
a server in any way. Can anybody please explain to me what's going on?
Has my box been compromised? What do I do?
Copious thanks in advance for any help.
----------------------------------------------------------------------
Stephen W. Juranich sjuranic@ee.washington.edu
Electrical Engineering http://students.washington.edu/sjuranic
University of Washington http://rcs.ee.washington.edu/ssli
Reply to: