OK, I'm pissed. I found, by doing a random 'netstat', that
port 31337 is open on my computer. And with a little fiddling,
I found that it's a primitive root shell. So my question
is how the hell did that happen? I also found that my hosts.allow
and hosts.deny were deleted. I used to deny access to non-UT IPs.
It was wide open when I found it. I have everything closed
except the stuff on the netstat output:
tcp 0 0 *:ssh *:* LISTEN
tcp 0 0 *:6000 *:* LISTEN
tcp 0 0 *:smtp *:* LISTEN
tcp 0 0 *:printer *:* LISTEN
tcp 0 0 localhost:domain *:* LISTEN
tcp 0 0 *:netbios-ssn *:* LISTEN
tcp 0 0 *:111 *:* LISTEN
tcp 0 0 *:31337 *:* LISTEN
The only weak link I can think of is samba, or maybe sendmail.
I only allow my LAN IPs and the UT 127.*.*.* IPs on Samba, and
I'm using the sendmail that came with RH 6.0 -- I never
bothered with qmail. Does RH 6 have a big exploit that
I somehow missed hearing about? I'm running the 2.2.5-15 kernel
that came on the CD with a few modifications.
I also know that 31337 is used with Back Orifice, but I'm running
Linux. Any ideas? I'm not looking for a complete security
analysis, just some hunches. I'm by no means a security expert.
Thanks,
Dave
---------------------------------------------------------------------------
Send administrative requests to [EMAIL PROTECTED]
