Xterm

From: Yahoo - CQRMail (cqrmail@yahoo.com)
Date: 10/26/01


From: "Yahoo - CQRMail" <cqrmail@yahoo.com>
To: <incidents@securityfocus.com>
Subject: Xterm 
Date: Thu, 25 Oct 2001 21:58:05 -0400
Message-ID: <FJEELJEFFFDHCDIOKCGJEECBDAAA.cqrmail@yahoo.com>

My snort IDS picked up a bunch of X11 signatures:
http://www.whitehats.com/info/ids126
Source IP is a random public address, Source port is 6000...random
destination inside ports.

I have blocked 6000 at the firewall, but I don't know where to begin
tracking down what is compromised on the server. I am running Mandrake 8,
only ports allowed are 80 and 22...xdm has been disabled.

I didn't see much in the logs, so where should I begin? and what should I
look for?

I will probably rebuild the server, but I would like to see if I can find
out what has been down first, so I can be prepared later...

TIA...new to linux, so I apologize for my crude question,
Tony


_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • RE: Strange connection attempts
    ... that the source port is always port 137, which would also make me suspect a ... I would think nmap from a single machine would ... generate packets with at least somewhat varying source ports. ... > For more information on this free incident handling, ...
    (Incidents)
  • Re: Whats a decent modem/router for tech savy user?
    ... It is not possible to route or deny traffic to specific ports based on the source IP address. ... But it wont route back inside the LAN - needs internal DNS server spoofing. ... Normally, this option should be Enabled, so that an Internet connection will be made automatically, whenever Internet-bound traffic is detected. ... Specifying a Default DMZ Server allows you to set up a computer or server that is available to anyone on the Internet for services that you haven't defined. ...
    (uk.telecom.broadband)
  • Re: Cannot connect to RWW from home PC
    ... That would be the address you need a DNS record for. ... You say "And in the router you need to forward to your external nic IP" ... Still can't telnet to any of your ports at your public ip address. ... Heres' the info for our server: ...
    (microsoft.public.windows.server.sbs)
  • Re: Netopia 3347NWG with Remote Desktop and Remote Web Workplace
    ... Glad you're back in business Greg! ... Ports Closed ... Despite this, Remote Web Workplace DOES WORK now, and Connect to Server ... Exchange BPA updates), ...
    (microsoft.public.windows.server.sbs)
  • Solution -> Re: SSH tunnel question.
    ... change IPS and ports around but that is not a big deal. ... telnet/ftp/rsh open on a server including on the Internet facing ports! ... I will go from the corp desktop to a hop ... through the firewall to the hop ...
    (SSH)