Newbie and scan attack

To: debian-user@lists.debian.org
Subject: Newbie and scan attack
From: DSC Siltec <dscpubl@siltec.lt>
Date: Thu, 25 Apr 2002 17:43:14 +0200
Message-id: <[🔎] 3CC82412.9EEA80AD@siltec.lt>

I have a bit of a problem:  I just installed Woody on 
a dual-boot box, got KDE and all up and running, and 
very soon found that I was losing my connection.  

I inquired as to why, and I was told I was being cut off
because my computer was scan-attacking the ISP proxy server.

One scan attack attacked my proxy server's proxy port, from 1031,1032,
1033,1034, 1035...  and expired about 8 minutes later.

Anyhow, I had a bunch of junk on the system that I probably 
didn't need -- portmap, htdig, roxen, wwwoffled, and apache are a few 
of the items -- and I went ahead and removed them.  Others, like lpd, I
don't know how to remove. When I ran netstat -punta, with my network
disconnected, 
I found a bunch of reports from htdig (open/close).  

I'm wondering if that was the source of the problem, or if I have 
been taken over by a remote operator, and how I can clean, then secure,
my
system.  

Is there anything that hit this particular list server, specifically
(also), 
because I had been a subscriber -- and every so often a piece of trash
mail
comes through, and it makes me wonder if there was some kind of an
automated 
virus that hit me.

Aside from that, other things I noticed:  getty runs tty2-tty6 (Bash
runs tty1) whenever I have K running -- and I wonder if that is perhaps
initiating the attack; I also see miniserv.pl, and proftpd; I wonder if
I need those.  

klisa and inetd both also make internet accesses.  When I run netstat
-nlp, I see that ksmserver is listening, artsd, and ssh-agent are also
running.  So are my truetype servers Xfs,Xfs-xtt, and the X server, lpd,
and KDEinit.

I also have a windows system -- and, sometimes using the same network
connection [manual plug-over] a macintosh, and it is possible that the
attacks were coming through one of those.  But the Windows system has a
good firewall "ZoneAlarm" that I can use and understand [I don't yet
understand the Linux one] and McAfee antivirus with autoupdate.


When you reply, please cc: me at dscpubl@siltec.lt.  I nominally removed
myself from the list server -- it doesn't seem to have worked, but it
might remove me at any time.


-- 
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org 
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to:

Follow-Ups:
- Re: Newbie and scan attack
  - From: "afj" <afjcdl@yahoo.co.uk>
- Re: Newbie and scan attack
  - From: "Keith G. Murphy" <keithmur@mindspring.com>

Prev by Date: Firebird hangs on install (Re: Call for testers FireBird 1.0)
Next by Date: XFS filesytem for debian LINUX
Previous by thread: can't get user list from Samba as PDC
Next by thread: Re: Newbie and scan attack
Index(es):
- Date
- Thread