Re: "KWrited - listening on device /dev/pts/0" ??
From: Erik (erik@geenspam.vanwesten.net)Date: 05/05/02
- Next message: David Roberts: "Anyone know of nice tool to examine httpd-access/error for attacks?"
- Previous message: Erik: "Re: Stupid question"
- In reply to: DMS: ""KWrited - listening on device /dev/pts/0" ??"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Erik <erik@geenspam.vanwesten.net> Date: 05 May 2002 14:42:40 GMT
DMS <phonlabREMOVE@nospamu.washington.edu> wrote:
> I recently installed Mandrake 8.1. (for the 3rd time! :) ) My machine is
> on a university network. I frequently get a popup KWrited document on my
> desktop that is labeled "listening on device /dev/pts/0" and the makes a
> long list of audio and font files locating them on several of my partitions.
> The partitions are:
> the /dev/ ... (of my secondary drive that contains an alternate boot of
> Redhat 5.1)
> the /usr/share/ ...
> the /var/lib ...
> the /var/tmp ...
> I assume people used my machine's drives as a way station for napster like
> file transfer...
Uh oh. Unplug. Reinstall. Update. Run packet filter. Reconnect.
> I just poked around in the Control Panel and set my security to medium ...
> that seems to have stopped it. At least I am not getting any more KWrited
> listening docs popping up ... (I didn't do this before because during
> install I requested high security but it appears "Crackers" level somehow
> got installed anyway.)
Your machine is already contaminated. There is only one solution.
> Am I right about what was going on and why? What, if anything, more should
> I do additionally? I saved a copy of the KWrited listing of files ...
> should I delete the files?
It is probably not in these files... Download chkrootkit
(www.chkrootkit.org), or download it as rpm from mandrake and check the
damage. Assume the worst :-(.
> Is there any chance there some kind of worm or trojan horse on my machine
> now?
Yup. See above.
> (Background: This machine is only a work station ... the only LAN/network
> usage is for 8.1 to access the web and to print to a network printer ... I
> think I'll just unplug the cat5 when booted to RH5.1 as I imagine network
> connectivity/protection will be difficult/complicated for such a old dist..
> Unless there is a setting/config I can give the RH 5.1 boot that will
> completely disable the lan connection when booted to 5.1?)
But usually you are running a lot of unneeded (and often vulnerable)
services. Intruders _will_ find these. Running in high security mode
will usually turn off these services, but obviously that is too late.
Download the new Mandrake 8.2, run in high security mode, and _update_!
HTH,
EJ
-- For OpenBSD pf en nat rule examples: http://www.vanwesten.net
- Next message: David Roberts: "Anyone know of nice tool to examine httpd-access/error for attacks?"
- Previous message: Erik: "Re: Stupid question"
- In reply to: DMS: ""KWrited - listening on device /dev/pts/0" ??"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
