Help!! Have I been attacked/compromised????

From: AjN (ajay_nath@indiatimes.com)
Date: 02/26/02 

From: ajay_nath@indiatimes.com (AjN)
Date: 26 Feb 2002 10:24:16 -0800

Hello,

I have been using RH7 on my laptop (non-networked) for several months
now. Yesterday, I noticed strange messages at startup, which NOW shows
up on all startups .. (Snipped below from dmesg)

  portmap: RPC call returned error 111
  RPC: task of released request still queued!
  RPC: (task is on xprt_pending)
  portmap: RPC call returned error 111
  RPC: task of released request still queued!
  RPC: (task is on xprt_pending)
  lockd_up: makesock failed, error=-111
  portmap: RPC call returned error 111
  RPC: task of released request still queued!
  RPC: (task is on xprt_pending)

>From web groups, I had heard about attacks. So I ran 'rpm -V procps'
with the following result:

  rpm -V procps
  SM5....T /bin/ps
  SM5....T /usr/bin/top

OUCH!!! So I ran the full verify ..

  rpm -Va |grep bin
  S.5....T /bin/netstat
  S.5....T /sbin/ifconfig
  SM5....T /bin/ps
  SM5....T /usr/bin/top
  S.5....T /usr/bin/pstree
  S.5....T /bin/ls
  S.5....T /usr/bin/find

OUCH!! OUCH!! Definitely compromised! I have not installed any new
packages for a long time. I do have apache running on the laptop, cuz
I use it for testing cgi scripts.

Whats going on? How can I recover? I am a newbie in Linux sysadmin ..
HELP!!
Where can I get good security info??

Thanks!!

Relevant Pages

  • Re: Help!! Have I been attacked/compromised????
    ... Yesterday, I noticed strange messages at startup, which NOW shows ... ] RPC: task of released request still queued! ... So I ran 'rpm -V procps' ... I do have apache running on the laptop, ...
    (comp.os.linux.security)
  • RPC Fails after applying SP1
    ... startup and you get the message, "One or more services failed during ... If you navagate to the services explorer and right click on RPC, ... Here is the event log that keeps poping up every 3-5 ... No more RSoP logging will be done for this ...
    (microsoft.public.windows.server.general)
  • Re: NT Authority/RPC termination, TFTP files added in startup
    ... I found something very similar in my startup menu, but I deleted it, ... > This system is shutting down. ... > Windows must now restart because the Remote Procedure ... > (RPC) service terminated unexpectedly ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Sync desktop/laptop mailboxes question
    ... I use the RPC on one Laptop, I also have a Tablet PC that I would like to ... > Basically, if Outlook senses a fast LAN connection, it connects to Exchange ... >> the same name as the sbs domain, and the username and passwords are kept ...
    (microsoft.public.windows.server.sbs)
  • Re: Sync desktop/laptop mailboxes question
    ... At the time of my original post, I was indeed unfamiliar with RPC over HTTP, ... computers, some of which connect to the SBS ... I log onto the laptop using one SBS account (but not connected to the ... > Basically, if Outlook senses a fast LAN connection, it connects to Exchange ...
    (microsoft.public.windows.server.sbs)