/usr/bin/netstat is your friend:
netstat -plut
This will show you all the network sockets that are being listened to.
On Wed May 10 2000 at 20:14, Jim Roland wrote:
> inetd is only one way he/she can enter your system via remote.
> You should also (after booting up) do a "ps -ax" or "ps -aux" to see what
> is running in the background. Some common entry points could be finger,
> talkd, rlogind(sp?). Make sure those services are disabled. If for some
> reason you are needing a service that is running, make sure ipchains takes
> care of blocking those services from going through your gateway. You can
> also block his entire subnet (assuming he does not get wise and use another
> ISP).
>
>
> -=>Jim Roland
>
> "Never settle with words what you can settle with a flamethrower."
> --Anonymous
>
>
> On Wed, 10 May 2000, wrote:
>
> > Date: Wed, 10 May 2000 07:35:06 -0700
> > From: <[EMAIL PROTECTED]>
> > To: [EMAIL PROTECTED]
> > Subject: Please Help !! My system got compromised
> >
> > Hi,
> > I have a cable modem connection to Internet. My system is running RedHat 6.0. I
>have a home LAN setup so my linux gateway to the internet is configured as a
>masquerading gateway and also running as a web server and DNS (Primary and Caching
>only) server. I'm still working on the firewall (ipchains) but there is nothing in my
>/etc/inetd.conf.
> >
> > After the compromise here is what happened:
> >
> > 1. The log tells me a user called "chaos" entered my system from some ISP in
>primus.ca.
> >
> > May 6 10:57:30 gator login: LOGIN ON 1 BY chaos FROM dialin-154-26.tor.primus.ca
> > May 6 11:21:05 gator login: LOGIN ON 1 BY chaos FROM dialin-154-26.tor.primus.ca
> > May 6 11:28:30 gator login: LOGIN ON 1 BY chaos FROM dialin-154-26.tor.primus.ca
> > May 6 11:32:07 gator login: LOGIN ON 1 BY chaos FROM dialin-154-26.tor.primus.ca
> >
> > May 6 10:57:30 gator PAM_pwdb[4662]: (login) session opened for user chaos by
>(uid=0)
> > May 6 10:57:38 gator PAM_pwdb[4675]: (su) session opened for user own by
>chaos(uid=5001)
> > May 6 11:21:05 gator PAM_pwdb[4721]: (login) session opened for user chaos by
>(uid=0)
> > May 6 11:21:07 gator PAM_pwdb[4733]: (su) session opened for user own by
>chaos(uid=5001)
> >
> > 2. The following telnetd line was added to /etc/inetd.conf added.
> > telnet stream tcp nowait root /usr/sbin/tcpd in.telnetd
> >
> > 3. Following accounts got added at the end of /etc/passwd
> >
> > own:x:0:0::/root:/bin/bash
> > adm1:x:5000:5000:Tech Admin:/tmp:/bin/bash
> > chaos:x:5001:5001::/home/chaos:/bin/bash
> >
> > 4. I looked at /home/chaos directory, I saw the following files
> > -rwxrwxr-x 1 #chaos #chaos 13672 May 6 15:21 m
> > -rw-rw-r-- 1 root root 1149 May 6 15:07 milk.c
> > -rwxrwxr-x 1 root root 15818 May 6 15:13 s
> > -rw-rw-r-- 1 root root 6793 May 6 15:07 stream.c
> >
> > 5. I look at .bash_history for the chaos user I see:
> > su own
> > gcc -o m milk.c
> > ./m 129.142.82.11 6000
> > su own
> > su own
> > ./m
> > ./m 24.114.4.13 7000
> >
> > Now, my cablemodem ISP (Mediaone) has warmed me that they have recevied complaints
>about port scanning from my system and they will disable the service if this happens
>again!!
> >
> > Steps I've taken so far:
> >
> > 1. Upgraded bind to named 8.2.2-P5
> > 2. Change root passwords
> > 3. Removed all the accounts that the intruder created and again there is nothing
>in /etc/inetd.conf
> > 4. Sent email to the originating ISP to take actions about the abuse.
> >
> > I still can't figure out how the intruder entered my system?? Please advice me on
>what to do to make sure my system is secure.
> >
> > Thanks in advance.
> > --Nehali
> >
> >
> >
> > --== Sent via Deja.com http://www.deja.com/ ==--
> > Before you buy.
> > -
> > To unsubscribe from this list: send the line "unsubscribe linux-net" in
> > the body of a message to [EMAIL PROTECTED]
> >
>
> -
> To unsubscribe from this list: send the line "unsubscribe linux-net" in
> the body of a message to [EMAIL PROTECTED]
>
Cheers
Tony
-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-
Tony Nugent <[EMAIL PROTECTED]> Systems Administrator, RHCE
GrowZone OnLine (a project of) GrowZone Development Network
POBox 475 Toowoomba Oueensland Australia 4350 Ph: 07 4637 8322
-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
