Hello,
We've got a SUSE7.0 PC, which may have been affected by a Hacker. Of course, there is
no firewall or any IDS-System :-)
The PC is a small Fileserver for some Win2000 PCs (Samba) and a Testserver with
Apache. Also running SSH, FTP, X.
btw, in the past nobody concerned about security in this small network, because there
are no "secrets", we just buid webpages. But some days ago our network (permanent)
provider told us, there were incidents from our IP-adresses to others.
I just began learning security issues (I hope my English is not as bad as my security
knowledge).
Now, I tried to find some traces in /var/messages - none, command "last" - none
I tried "chkroot" - nothing found,
tried "kstat" (like ksec for OpenBSD) - I had Problems with the configuration
(system.map ...?)
but here the output of "kstat":
>kstat -M
Using /lib/modules/misc/knull.o
insmod: a module named knull already exists
Module Address
knull 0xd002d000
ipv6 0xd0046000
3c59x 0xd0036000
serial 0xd0021000
usbcore 0xd0000000
0xc02758c0
> kstat -m 0xc02758c0
Probing memory at 0xc02758c0
Name:
Size: 0
Flags: MOD_RUNNING
First Registered Symbol: drive_info at 0xc02bb660
I tried to reconfigure /etc/services and /etc/inetd.conf to disallow unwanted services
and Ports.
Then I made a scan with "superscan" at home via PPP.
Besides the installed service-ports there where 2 open Ports shown:
37 and 113. A port-list told me 37 is "time" and 115 is "auth"
Is my kernel affected or are there any other possibilities than /etc/services and
/etc/inetd.conf to open ports for daemons???
Is is suitable to scan the PC localy (login via ssh) with tools like nmap, nessus ...
because i don't wont to get trouble with some Admins?
I would be thankfull for any hint !
Franz Alt
