Re: I'm afraid I've been cracked.

To: Steve Juranich <sjuranic@kant.ee.washington.edu>
Cc: Debian Users List <debian-user@lists.debian.org>
Subject: Re: I'm afraid I've been cracked.
From: "Robert L. Harris" <Robert.L.Harris@rnd-consulting.com>
Date: Wed, 27 Sep 2000 16:59:27 -0600
Message-id: <[🔎] 20000927165927.S15724@rnd-consulting.com>
In-reply-to: <[🔎] Pine.SOL.3.96.1000927154351.11428L-100000@condor.ee.washington.edu>; from sjuranic@kant.ee.washington.edu on Wed, Sep 27, 2000 at 03:55:49PM -0700
References: <[🔎] Pine.SOL.3.96.1000927154351.11428L-100000@condor.ee.washington.edu>


Use "lsof -i | grep <port>" to find out exactly what binary is running
on that port.  Then you can find out where it's at.  Are there any
other hidden utils, etc?  I'd also do a "netstat -an" and see what is
connected to your mystery port.  Find out where your attacker is coming
from.

Robert

Thus spake Steve Juranich (sjuranic@kant.ee.washington.edu):

> Well, I wasn't paying a whole lot of attention and I had every unnecessary
> port closed... or so I thought.  I was still running the portmapper.  So
> when I ssh'd home today and nmapped myself, a couple of mysterious processes
> popped up.
> 
> To begin with: I nmapped my box and saw, much to my dismay:
> 
> Port    State       Protocol  Service
> 22      open        tcp        ssh             
> 111     open        tcp        sunrpc          
> 515     open        tcp        printer         
> 1527    open        tcp        tlisrv          
> 6000    open        tcp        X11             
> 
> As soon as I killed the portmapper, port 111 (the portmapper) and port 1527
> (the mystery process) both died.  Then later today, I ssh'd home again and
> saw:
> 
> Port    State       Protocol  Service
> 22      open        tcp        ssh             
> 515     open        tcp        printer         
> 2027    open        tcp        shadowserver    
> 6000    open        tcp        X11             
> 
> Then, by looking through /var/log/auth.log, I see that every morning at
> around 7:35, three sessions are being opened.  Two for user 'news' by
> (uid=0) and one for user 'nobody' also by (uid=0).
> 
> I plan on removing nntp from my box immediately, since I don't use my box as
> a server in any way.  Can anybody please explain to me what's going on?
> Has my box been compromised?  What do I do?
> 
> Copious thanks in advance for any help.
> 
> ----------------------------------------------------------------------
> Stephen W. Juranich                         sjuranic@ee.washington.edu
> Electrical Engineering         http://students.washington.edu/sjuranic
> University of Washington             http://rcs.ee.washington.edu/ssli
> 
> 
> 
> -- 
> Unsubscribe?  mail -s unsubscribe debian-user-request@lists.debian.org < /dev/null



:wq!
---------------------------------------------------------------------------
Robert L. Harris                |  Micros~1 :  
Senior System Engineer          |    For when quality, reliability 
  at RnD Consulting             |      and security just aren't
                                \_       that important!
DISCLAIMER:
      These are MY OPINIONS ALONE.  I speak for no-one else.
FYI:
 perl -e 'print $i=pack(c5,(41*2),sqrt(7056),(unpack(c,H)-2),oct(115),10);'

Reply to:

Follow-Ups:
- Re: I'm afraid I've been cracked.
  - From: Phil Brutsche <pbrutsch@tux.creighton.edu>

References:
- I'm afraid I've been cracked.
  - From: Steve Juranich <sjuranic@kant.ee.washington.edu>

Prev by Date: I'm afraid I've been cracked.
Next by Date: Potato file structure
Previous by thread: I'm afraid I've been cracked.
Next by thread: Re: I'm afraid I've been cracked.
Index(es):
- Date
- Thread