Re: I'm afraid I've been cracked.

[Preben Randhol <randhol@pvv.org>]

Steve Juranich <sjuranic@kant.ee.washington.edu> wrote on 28/09/2000 (00:57) :
> Well, I wasn't paying a whole lot of attention and I had every unnecessary
> port closed... or so I thought.  I was still running the portmapper.  So
> when I ssh'd home today and nmapped myself, a couple of mysterious processes
> popped up.
> 
> To begin with: I nmapped my box and saw, much to my dismay:
> 
> Port    State       Protocol  Service
> 22      open        tcp        ssh             
> 111     open        tcp        sunrpc          
> 515     open        tcp        printer         
> 1527    open        tcp        tlisrv          
> 6000    open        tcp        X11             

If you go to http://www.snort.org under Port Search you can find out
what the ports are used for.

It says oracle for 1527, but nothing for 2027

> I plan on removing nntp from my box immediately, since I don't use my box as
> a server in any way.  Can anybody please explain to me what's going on?
> Has my box been compromised?  What do I do?

Whipe the disc(s) clean and reinstall. Install snort + possibly firewall.
Then set in /etc/hosts.deny :
ALL: ALL

and in /etc/hosts.allow you put in the addresses you trust.

It's a start at least.
-- 
Preben Randhol - Ph.D Student -  http://www.pvv.org/~randhol/     ._.
Debian 2.2 |"Don't think about domination, think about freedom,  / _,\
Potato     | it doesn't dominate." - Richard M. Stallman        | (_./
GNU/Linux  | To learn more visit => http://www.debian.org/       \,