Newbie and scan attack
I have a bit of a problem: I just installed Woody on
a dual-boot box, got KDE and all up and running, and
very soon found that I was losing my connection.
I inquired as to why, and I was told I was being cut off
because my computer was scan-attacking the ISP proxy server.
One scan attack attacked my proxy server's proxy port, from 1031,1032,
1033,1034, 1035... and expired about 8 minutes later.
Anyhow, I had a bunch of junk on the system that I probably
didn't need -- portmap, htdig, roxen, wwwoffled, and apache are a few
of the items -- and I went ahead and removed them. Others, like lpd, I
don't know how to remove. When I ran netstat -punta, with my network
disconnected,
I found a bunch of reports from htdig (open/close).
I'm wondering if that was the source of the problem, or if I have
been taken over by a remote operator, and how I can clean, then secure,
my
system.
Is there anything that hit this particular list server, specifically
(also),
because I had been a subscriber -- and every so often a piece of trash
mail
comes through, and it makes me wonder if there was some kind of an
automated
virus that hit me.
Aside from that, other things I noticed: getty runs tty2-tty6 (Bash
runs tty1) whenever I have K running -- and I wonder if that is perhaps
initiating the attack; I also see miniserv.pl, and proftpd; I wonder if
I need those.
klisa and inetd both also make internet accesses. When I run netstat
-nlp, I see that ksmserver is listening, artsd, and ssh-agent are also
running. So are my truetype servers Xfs,Xfs-xtt, and the X server, lpd,
and KDEinit.
I also have a windows system -- and, sometimes using the same network
connection [manual plug-over] a macintosh, and it is possible that the
attacks were coming through one of those. But the Windows system has a
good firewall "ZoneAlarm" that I can use and understand [I don't yet
understand the Linux one] and McAfee antivirus with autoupdate.
When you reply, please cc: me at dscpubl@siltec.lt. I nominally removed
myself from the list server -- it doesn't seem to have worked, but it
might remove me at any time.
--
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: