Re: Hacked too?
also sprach éÇÏÒØ âÁÌÕÓÏ× [EMAIL PROTECTED] [2002.01.11.2316 +0100]: I have run chkrootkit and get Checking `bindshell'... INFECTED (PORTS: 31337) What I need to do? reinstall. no, really! unless this is a non-productive system, in which case you are free to try to remove it. but once you have a cracked system, you can't take anything for granted, you can't even trust your keyboard anymore. and everytime you use SSH or telnet or whatever, your password is probably going straight to the hacker. so all the systems you SSH into are possibly also hacked. let's hope you don't root-login remotely anywhere! -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; net@madduck f u cn rd ths, u cn gt a nce jb in th prgrmng indstry msg05150/pgp0.pgp Description: PGP signature
RE: Hacked too?
still, I think that one of the first things you should do with your hacked systems is unplug the network cable. the majority of hacks these days are for stepping stones, they don't necessarily care about the data on your PC, but will have other PCs from your. I don't think you really want the FBI knocking on your door after they findout that your home PC has been banging on their network .. :P -Original Message- From: martin f krafft [mailto:[EMAIL PROTECTED]] Sent: January 11, 2002 2:34 PM To: [EMAIL PROTECTED] Subject: Re: Hacked too? also sprach éÇÏÒØ âÁÌÕÓÏ× [EMAIL PROTECTED] [2002.01.11.2316 +0100]: I have run chkrootkit and get Checking `bindshell'... INFECTED (PORTS: 31337) What I need to do? reinstall. no, really! unless this is a non-productive system, in which case you are free to try to remove it. but once you have a cracked system, you can't take anything for granted, you can't even trust your keyboard anymore. and everytime you use SSH or telnet or whatever, your password is probably going straight to the hacker. so all the systems you SSH into are possibly also hacked. let's hope you don't root-login remotely anywhere! -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; net@madduck f u cn rd ths, u cn gt a nce jb in th prgrmng indstry -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Hacked too?
I have run chkrootkit and get Anyone have a d/l site for the deb package of this? Ed -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Hacked too?
What is mean: If you're running PortSentry/klaxon or another program that binds itself to unused ports probably chkrootkit will give you a false positive on the bindshell test (ports .. 31336/tcp, 31337/tcp ...).? It is from http://www.chkrootkit.org/ My PC is really hacked or no? How I can determine it? When I run netstat -an I get udp0 0 0.0.0.0:31337 0.0.0.0:* How I can stop this? Billy òÅËÌÁÍÁ: íÏÓËÏ×ÓËÁÑ ëÁÌÅÎÄÁÒÎÁÑ æÁÂÒÉËÁ - Ë×ÁÒÔÁÌØÎÙÅ ËÁÌÅÎÄÁÒÉ ÐÏ ÓÁÍÙÍ ÎÉÚËÉÍ ÃÅÎÁÍ. ôÅÌÅÆÏÎ: (8095)254-88-55 http://www.kalendar.r2.ru/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Hacked too?
On Fri, 2002-01-11 at 17:49, Igor Balusov wrote: What is mean: If you're running PortSentry/klaxon or another program that binds itself to unused ports probably chkrootkit will give you a false positive on the bindshell test (ports .. 31336/tcp, 31337/tcp ...).? It is from http://www.chkrootkit.org/ My PC is really hacked or no? How I can determine it? When I run netstat -an I get udp0 0 0.0.0.0:31337 0.0.0.0:* How I can stop this? Billy Try netstat -anp to find out which program is listening on that port. You should also check to see whether you have portsentry installed or anything like it. (dpkg -s portsentry if you installed it via Debian; I don't know what others might be installed or where to look if you installed them from source instead.) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Hacked too?
(2002-01-12) Igor Balusov sed : | What is mean: | If you're running PortSentry/klaxon or another program that binds itself to | unused ports probably chkrootkit will give you a false positive on the | bindshell test (ports .. 31336/tcp, 31337/tcp ...).? | It is from http://www.chkrootkit.org/ | My PC is really hacked or no? How I can determine it? | When I run netstat -an I get | udp0 0 0.0.0.0:31337 0.0.0.0:* | How I can stop this? | Billy fuser -n udp 31337 will give you the PID of the process lsitening on the port 31337. The with ps you will be able to discover the process hiding behind. Otherwise, lsof is too your friend :) -- VALLIET Emmanuel Webmotion Inc. (- http://www.webmotion.com -) Bored? Drive the speed limit... in your garage. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
RE: Hacked too?
Thanks Stephen, I have run the netstat -anp The result is: 0.0.0.0:31337 0.0.0.0:*1687/fakebo Really I have installed fakebo. It is usefull. Very often anybody try to find on my PC backdoors. It help me to discover theirs. Billy òÅËÌÁÍÁ: íÏÓËÏ×ÓËÁÑ ëÁÌÅÎÄÁÒÎÁÑ æÁÂÒÉËÁ - Ë×ÁÒÔÁÌØÎÙÅ ËÁÌÅÎÄÁÒÉ ÐÏ ÓÁÍÙÍ ÎÉÚËÉÍ ÃÅÎÁÍ. ôÅÌÅÆÏÎ: (8095)254-88-55 http://www.kalendar.r2.ru/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Hacked too?
Sorry but could someone please summerize what the Hacked too? thread is about? someone used a script, which should detect rootkits and it said it found one, although there is probably none. it seems just to check whether a certain port is open. just ignore the thread ;) bye Ralf -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Hacked too?
Hi Ed, On Fri, Jan 11, 2002 at 05:46:58PM -0500, Ed Street wrote: I have run chkrootkit and get Anyone have a d/l site for the deb package of this? apt-get install chkrootkit Uwe. -- Uwe Hermann [EMAIL PROTECTED] [EMAIL PROTECTED] | Unmaintained Free Software: http://www.hermann-uwe.de | http://www.unmaintained-free-software.org -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of unsubscribe. Trouble? Contact [EMAIL PROTECTED]
Re: Hacked too?
also sprach éÇÏÒØ âÁÌÕÓÏ× [EMAIL PROTECTED] [2002.01.11.2316 +0100]: I have run chkrootkit and get Checking `bindshell'... INFECTED (PORTS: 31337) What I need to do? reinstall. no, really! unless this is a non-productive system, in which case you are free to try to remove it. but once you have a cracked system, you can't take anything for granted, you can't even trust your keyboard anymore. and everytime you use SSH or telnet or whatever, your password is probably going straight to the hacker. so all the systems you SSH into are possibly also hacked. let's hope you don't root-login remotely anywhere! -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; [EMAIL PROTECTED] f u cn rd ths, u cn gt a nce jb in th prgrmng indstry pgpYNrzz3I39Y.pgp Description: PGP signature
RE: Hacked too?
still, I think that one of the first things you should do with your hacked systems is unplug the network cable. the majority of hacks these days are for stepping stones, they don't necessarily care about the data on your PC, but will have other PCs from your. I don't think you really want the FBI knocking on your door after they findout that your home PC has been banging on their network .. :P -Original Message- From: martin f krafft [mailto:[EMAIL PROTECTED] Sent: January 11, 2002 2:34 PM To: debian-security@lists.debian.org Subject: Re: Hacked too? also sprach éÇÏÒØ âÁÌÕÓÏ× [EMAIL PROTECTED] [2002.01.11.2316 +0100]: I have run chkrootkit and get Checking `bindshell'... INFECTED (PORTS: 31337) What I need to do? reinstall. no, really! unless this is a non-productive system, in which case you are free to try to remove it. but once you have a cracked system, you can't take anything for granted, you can't even trust your keyboard anymore. and everytime you use SSH or telnet or whatever, your password is probably going straight to the hacker. so all the systems you SSH into are possibly also hacked. let's hope you don't root-login remotely anywhere! -- martin; (greetings from the heart of the sun.) \ echo mailto: !#^.*|tr * mailto:; [EMAIL PROTECTED] f u cn rd ths, u cn gt a nce jb in th prgrmng indstry
RE: Hacked too?
I have run chkrootkit and get Anyone have a d/l site for the deb package of this? Ed
RE: Hacked too?
What is mean: If you're running PortSentry/klaxon or another program that binds itself to unused ports probably chkrootkit will give you a false positive on the bindshell test (ports .. 31336/tcp, 31337/tcp ...).? It is from http://www.chkrootkit.org/ My PC is really hacked or no? How I can determine it? When I run netstat -an I get udp0 0 0.0.0.0:31337 0.0.0.0:* How I can stop this? Billy Реклама: Московская Календарная Фабрика - квартальные календари по самым низким ценам. Телефон: (8095)254-88-55 http://www.kalendar.r2.ru/
RE: Hacked too?
On Fri, 2002-01-11 at 17:49, Igor Balusov wrote: What is mean: If you're running PortSentry/klaxon or another program that binds itself to unused ports probably chkrootkit will give you a false positive on the bindshell test (ports .. 31336/tcp, 31337/tcp ...).? It is from http://www.chkrootkit.org/ My PC is really hacked or no? How I can determine it? When I run netstat -an I get udp0 0 0.0.0.0:31337 0.0.0.0:* How I can stop this? Billy Try netstat -anp to find out which program is listening on that port. You should also check to see whether you have portsentry installed or anything like it. (dpkg -s portsentry if you installed it via Debian; I don't know what others might be installed or where to look if you installed them from source instead.)
RE: Hacked too?
(2002-01-12) Igor Balusov sed : | What is mean: | If you're running PortSentry/klaxon or another program that binds itself to | unused ports probably chkrootkit will give you a false positive on the | bindshell test (ports .. 31336/tcp, 31337/tcp ...).? | It is from http://www.chkrootkit.org/ | My PC is really hacked or no? How I can determine it? | When I run netstat -an I get | udp0 0 0.0.0.0:31337 0.0.0.0:* | How I can stop this? | Billy fuser -n udp 31337 will give you the PID of the process lsitening on the port 31337. The with ps you will be able to discover the process hiding behind. Otherwise, lsof is too your friend :) -- VALLIET Emmanuel Webmotion Inc. (- http://www.webmotion.com -) Bored? Drive the speed limit... in your garage.
RE: Hacked too?
Thanks Stephen, I have run the netstat -anp The result is: 0.0.0.0:31337 0.0.0.0:*1687/fakebo Really I have installed fakebo. It is usefull. Very often anybody try to find on my PC backdoors. It help me to discover theirs. Billy Реклама: Московская Календарная Фабрика - квартальные календари по самым низким ценам. Телефон: (8095)254-88-55 http://www.kalendar.r2.ru/
Re: Hacked too?
Sorry but could someone please summerize what the Hacked too? thread is about? someone used a script, which should detect rootkits and it said it found one, although there is probably none. it seems just to check whether a certain port is open. just ignore the thread ;) bye Ralf
Re: Hacked too?
Hi Ed, On Fri, Jan 11, 2002 at 05:46:58PM -0500, Ed Street wrote: I have run chkrootkit and get Anyone have a d/l site for the deb package of this? apt-get install chkrootkit Uwe. -- Uwe Hermann [EMAIL PROTECTED] [EMAIL PROTECTED] | Unmaintained Free Software: http://www.hermann-uwe.de | http://www.unmaintained-free-software.org
RE: Hacked too?
Sorry but could someone please summerize what the Hacked too? thread is about? just got back into town and not making sense of the thread that i read in the archives Thankx
