Re: I'm afraid I've been cracked.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
A long time ago, in a galaxy far, far way, someone said...
> Use "lsof -i | grep <port>" to find out exactly what binary is running
> on that port. Then you can find out where it's at. Are there any
> other hidden utils, etc? I'd also do a "netstat -an" and see what is
> connected to your mystery port. Find out where your attacker is coming
> from.
That, of course, assumes the 'netstat' and 'lsof' binaries haven't been
trojaned to hide the tools used by the attacker.
> Thus spake Steve Juranich (sjuranic@kant.ee.washington.edu):
>
> > Well, I wasn't paying a whole lot of attention and I had every unnecessary
> > port closed... or so I thought. I was still running the portmapper. So
> > when I ssh'd home today and nmapped myself, a couple of mysterious processes
> > popped up.
> >
> > To begin with: I nmapped my box and saw, much to my dismay:
> >
> > Port State Protocol Service
> > 22 open tcp ssh
> > 111 open tcp sunrpc
> > 515 open tcp printer
> > 1527 open tcp tlisrv
> > 6000 open tcp X11
According to nmap tcp port 1527 is used by Oracle so unless you're running
an SQL server I would say that's a back door they're getting in with.
> > As soon as I killed the portmapper, port 111 (the portmapper) and port 1527
> > (the mystery process) both died. Then later today, I ssh'd home again and
> > saw:
> >
> > Port State Protocol Service
> > 22 open tcp ssh
> > 515 open tcp printer
> > 2027 open tcp shadowserver
> > 6000 open tcp X11
> >
> > Then, by looking through /var/log/auth.log, I see that every morning at
> > around 7:35, three sessions are being opened. Two for user 'news' by
> > (uid=0) and one for user 'nobody' also by (uid=0).
The user 'nobody' should not be loggin in.
I think it would be good to see a snippet of the /var/log/auth.log,
particularly the ones where their entry get's logged.
> > I plan on removing nntp from my box immediately, since I don't use my box as
> > a server in any way. Can anybody please explain to me what's going on?
> > Has my box been compromised? What do I do?
> >
> > Copious thanks in advance for any help.
There are several things I would do:
* It looks like the computer's at a university - it *might* be prudent to
tell IT staff in charge of computers at the university know that your
computer was broken into. Just in case someone (ie FBI) comes knocking
to their door/your door wondering why your computer is attacking someone
else's...
* Try to find a way to track who is connecting to your computer at 7:35 in
the morning with a packet sniffer - either with another computer on the
same hub or on your computer with a tcpdump binary you prepared
yourself.
* If you think someone is doing bad stuff with your computer law
enforcement should know.
- --
- ----------------------------------------------------------------------
Phil Brutsche pbrutsch@tux.creighton.edu
GPG fingerprint: 9BF9 D84C 37D0 4FA7 1F2D 7E5E FD94 D264 50DE 1CFC
GPG key id: 50DE1CFC
GPG public key: http://tux.creighton.edu/~pbrutsch/gpg-public-key.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.1 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE50oVm/ZTSZFDeHPwRAigNAJ98PzBClGynDqLyyPVU2Uk6pt7WEwCeJnI2
a+G5EsyV3xvNTWupJwFh1q8=
=/ebh
-----END PGP SIGNATURE-----
Reply to: