bad thing Re: Compromised-machine?? netbus-
hi ya tripolar
On Thu, 27 May 2004, tripolar wrote:
> What logs?
/var/log/{messages,syslog,debug,warn}
> here are a few lines from "hit" list
> time:May 27 21:22:29 in: out:eth1 port:12345 source:192.168.1.1
> dest:81.53.*.* len:44 tos:0x00 protocol:tcp service:netbus
> time:May 27 22:10:38 in: out:eth1 port:1234 source:192.168.1.1
> dest:63.207.*.* len:40 tos:0x00 protocol:tcp service:subseven
it says subseven is running on your 192.168.1.1 box ... or something
that uses that default service name
if 192.168.1.1 is a windoze box ... it's been hacked/trojaned
if 192.168.1.1 is a deb box... why is subseven or equivalent running on it
- how did it get there
- how do you update your deb boxes ...
( if it is a deb box... time to rebuild or find somebody
( locally to figure out what is broken on your box
"google: subseven" and the first 2 links is what you need/want ...
> >what is the output of "netstat -nv"
> >
> >
> netstat -nv only brought up two addresses- my isps mail servers
you have to have the cracker online at the time for netstat to show
who's using the machine ... and/or a lazy script kiddie will stay
on 24x7 ( and get caught )
you have to run netstat say every minute ...
- exclude your own ip# and allowed ports and see who is
left that using yuor box
c ya
alvin
Reply to: