Re: I'm afraid I've been cracked.
- To: Debian Users List <debian-user@lists.debian.org>
- Subject: Re: I'm afraid I've been cracked.
- From: Preben Randhol <randhol@pvv.org>
- Date: Tue, 3 Oct 2000 12:51:08 +0200
- Message-id: <20001003125108.B1861@pvv.org>
- Mail-followup-to: Debian Users List <debian-user@lists.debian.org>
- In-reply-to: <Pine.SOL.3.96.1000927154351.11428L-100000@condor.ee.washington.edu>; from sjuranic@kant.ee.washington.edu on Wed, Sep 27, 2000 at 03:55:49PM -0700
- References: <Pine.SOL.3.96.1000927154351.11428L-100000@condor.ee.washington.edu>
Steve Juranich <sjuranic@kant.ee.washington.edu> wrote on 28/09/2000 (00:57) :
> Well, I wasn't paying a whole lot of attention and I had every unnecessary
> port closed... or so I thought. I was still running the portmapper. So
> when I ssh'd home today and nmapped myself, a couple of mysterious processes
> popped up.
>
> To begin with: I nmapped my box and saw, much to my dismay:
>
> Port State Protocol Service
> 22 open tcp ssh
> 111 open tcp sunrpc
> 515 open tcp printer
> 1527 open tcp tlisrv
> 6000 open tcp X11
If you go to http://www.snort.org under Port Search you can find out
what the ports are used for.
It says oracle for 1527, but nothing for 2027
> I plan on removing nntp from my box immediately, since I don't use my box as
> a server in any way. Can anybody please explain to me what's going on?
> Has my box been compromised? What do I do?
Whipe the disc(s) clean and reinstall. Install snort + possibly firewall.
Then set in /etc/hosts.deny :
ALL: ALL
and in /etc/hosts.allow you put in the addresses you trust.
It's a start at least.
--
Preben Randhol - Ph.D Student - http://www.pvv.org/~randhol/ ._.
Debian 2.2 |"Don't think about domination, think about freedom, / _,\
Potato | it doesn't dominate." - Richard M. Stallman | (_./
GNU/Linux | To learn more visit => http://www.debian.org/ \,
Reply to: