Re: checking if my system is compromised

To: debian-user@lists.debian.org
Cc: debian-user@lists.debian.org
Subject: Re: checking if my system is compromised
From: Jose Luis Rivas Contreras <ghostbar38@gmail.com>
Date: Sat, 07 Apr 2007 19:48:47 -0400
Message-id: <[🔎] 46182DDF.9090107@gmail.com>
In-reply-to: <[🔎] 1175985214.46181c3ea89d4@mail.bluebottle.com>
References: <[🔎] 1175985214.46181c3ea89d4@mail.bluebottle.com>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Kamaraju Kusumanchi escribió:
> Hi all
> 
>     I am using Debian Etch (currently testing). Today from the abuse department of my ISP, I received the following warning (pasted in the end). My ISP has suspended my internet connection due to this. However, I am not able to track down the cause of the problem. I am wondering if anyone could help me out or tell me a better place to contact...
> 
>     I have used kopete sometime back to contact debian IRC channels. Other than that I have never heard of this undernet.org. I also cannot imagine a debian machine (especially with etch being so near to becoming stable) being compromised as a zombie.
> 
> Here is what I have done so far
> 1) I have looked in various log files but could not find any suspicious activity.
> 
> 2) I tried to register at http://forum.undernet.org but their system is not allowing me register my account.
> 
> 3) I was not able to contact the original sender of the abuse report as there is no from address in the report forwarded to me. My ISP's abuse department is closed for the weekend and I am trying to resolve this issue before approaching them on Monday.
> 
> Any ideas on how to determine+eliminate the root cause of this problem? Has anyone faced a similar problem before on Debian machines?
> 
> thanks
> raju
> 
> 
> ***************************
> abuse report forwarded to me
> ***************************
> Good day,
> 
> We are contacting you in order to inform the Abuse Department of your ISP that the following IPs have been compromised by unknown persons:
> 
> Ip: 128.253.28.128
> 
> Complaint ticket: PJBP-2564
> 
> Abusers have been caught on IRC (Undernet.org Network) using
> the above IPs for loading IRC clients (floodbots, spambots, trojan
> spreading clients, etc.) involved in illegal activities such as DDoS,
> SPAMMING or Infected links/trojans spreading.
> 
> We would kindly appreciate your action to solve the hacked boxes
> or inform your customers about it in order to make sure the
> abusers wont be able anymore to use your services for such
> activities.
> 
> As we are a non-profit Anti Abuse Project organized on an IRC
> Network, please reply to our reporting e-mail, so this way we can
> keep track of our Solved/Declined requests.
> 
> Sincerely,
> 
> Lucia Munteanu
> ***************************
> 
> 
Using netstat to check network activity? Closing all ports with
iptables?... I don't believe that your machine were compromised just by
using an IRC network...

We need more info

Jose Luis,
- --

ghostbar on Linux/Debian 'sid' i686 - #382503
Weblog: http://ghostbar.ath.cx/ - http://talug.org.ve
http://debian.org.ve - irc.debian.org #debian-ve #debian-devel-es
San Cristóbal, Venezuela. http://chaslug.org.ve
Fingerprint = 3E7D 4267 AFD5 2407 2A37  20AC 38A0 AD5B CACA B118
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGGC3fOKCtW8rKsRgRAhCKAJ9Gnu73hGprqrgD6qu4xgUyX4GcgACgyn9T
ukEZXvxGo+NDpm62iZ7srkc=
=eh6J
-----END PGP SIGNATURE-----

Reply to:

References:
- checking if my system is compromised
  - From: Kamaraju Kusumanchi <kamaraju@bluebottle.com>

Prev by Date: Re: checking if my system is compromised
Next by Date: Re: setting the right time zone
Previous by thread: Re: checking if my system is compromised
Next by thread: Re: checking if my system is compromised
Index(es):
- Date
- Thread