On 5/1/06, Xander Solis <[EMAIL PROTECTED]> wrote:
Hi Seekuel,
You can check what program is listening to various ports via the
command netstat -ap
You can also have a process tree output, via ps ajxf, which would
allow you to check the parent <-> child relationship of each process
If the process looks shady, kill the process, send a SIGKILL to it,
and see, if spawns back (kill -9 proc name). You can also try to debug
the program(using gdb) or use strace to see a glimpse, of what it does
in a very low level.
You can also use md5sum -c, to check if the running program is really valid.
Aside from these commands, you can also try to use nessus on your
machines(get manager's permission first :) ) to check for
vulnerabilities on your system/s, and help you harden you machine.
Finally, after checking all your programs, you can also try and
experiment on NIDS/HIDS solutions, to help you in securing your
network(Snort and Tripwire)
You can also try checking the following sites for Linux/Unix Security
Information:
- www.linuxsecurity.com
-phrack.org
-packetstormsecurity.linux.com
-securityfocus.com
-hackinglinuxexposed.com
- faqs.org/docs/securing
Just be careful in going to shady sites :)
On 5/1/06, seekuel < [EMAIL PROTECTED]> wrote:
>
> I did some digging.
>
> I remembered that during the software update ports 80, 53 was opened while
> the web and DNS services are still off and 22 droped. After the update which
> takes about 2&half hours I configured the web and DNS services.
>
> I remebered that the DNS service was up and running before going home. On
> the next day when I checked the services named was off and turned it on. I
> thought it was kind of weird.
>
> Looking further, a bind failure to certain service l (ike port 22) was
> found in the logs. It failed to bind because the service port is already in
> use.
>
> Is it safe to say that the hacker made its way from those ports and
> installed the rootkit from there?
>
> Thanks.
>
>
> On 4/29/06, eric draven < [EMAIL PROTECTED]> wrote:
>
> >
>
> some mail scanners, e.g. qmail-scanner, are detected as LKMs....
>
> better yet, do a fresh install, and plug in rkhunter/chkrootkit
> immediately...
>
>
>
>
>
> On 4/28/06, seekuel < [EMAIL PROTECTED]> wrote:
>
> >
>
>
> Hi guys,
>
> I'm using CentOS 4.3 as my email server, postfix as MTA, and
> open-xchange as webmail.
> I installed chkrootkit and rkhunter. The configuration is rkhunter
> and chkrootkit will execute evry 3am and email its result to the
> administrator account.
>
> I found this report with chkrootkit and also was surprised that and
> email account was
> created. I think that the system is compramized.
>
> How do I deal with this issue?
>
> A help is well appreciated.
>
> Thanks,
>
> Sandeil
>
> Here is the output of chkrootkit:
> ---------
> Checking `asp'... not infected
> Checking `bindshell'... not infected
> Checking `lkm'... You have 2 process hidden for readdir command
>
>
> You have 2 process hidden for ps command
> chkproc: Warning: Possible LKM Trojan installed
> Checking `rexedcs'... not found
> Checking `sniffer'... eth0:
> PF_PACKET(/usr/sbin/snort-plain)
> Checking `w55808'... not infected
>
>
> Checking `wted'... chkwtmp: nothing deleted
> Checking `scalper'... not infected
> Checking `slapper'... not infected
> Checking `z2'... chklastlog: nothing deleted
> Checking `chkutmp'... chkutmp: nothing deleted
>
>
>
>
>
>
>
> _________________________________________________
>
> Philippine Linux Users' Group (PLUG) Mailing List
> [email protected] (#PLUG @ irc.free.net.ph)
> Read the Guidelines: http://linux.org.ph/lists
> Searchable Archives: http://archives.free.net.ph
>
>
>
>
>
>
>
> --
> Suddenly, I heared a tapping, as of someone gently rapping, rapping at my
> chamber door...
> _________________________________________________
>
> Philippine Linux Users' Group (PLUG) Mailing List
> [email protected] (#PLUG @ irc.free.net.ph)
> Read the Guidelines: http://linux.org.ph/lists
> Searchable Archives: http://archives.free.net.ph
>
>
>
> _________________________________________________
> Philippine Linux Users' Group (PLUG) Mailing List
> [email protected] (#PLUG @ irc.free.net.ph)
> Read the Guidelines: http://linux.org.ph/lists
> Searchable Archives: http://archives.free.net.ph
>
>
--
--
Xander R. Solis
-----------------------
xrsolis.blogspot.com
"Don't part with your illusions. When they are gone you may still
exist, but you have ceased to live."
GNUPG Key: 1024D/5257774A
_________________________________________________
Philippine Linux Users' Group (PLUG) Mailing List
[email protected] (#PLUG @ irc.free.net.ph)
Read the Guidelines: http://linux.org.ph/lists
Searchable Archives: http://archives.free.net.ph
_________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List [email protected] (#PLUG @ irc.free.net.ph) Read the Guidelines: http://linux.org.ph/lists Searchable Archives: http://archives.free.net.ph
