a (maybe faq) question...

• Next message: David: "Re: a (maybe faq) question..."
• Previous message: Vilmos Soti: "Re: Can I stop root reading my files"
• Next in thread: David: "Re: a (maybe faq) question..."
• Reply: David: "Re: a (maybe faq) question..."
• Reply: RainbowHat: "Re: a (maybe faq) question..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: matt <moleculematt@netscape.net>
Date: Tue, 28 May 2002 05:43:18 GMT

well, i think my RH7.2 machine has been comprimised. i did a portscan to
see if my f/w was doing any good and it wasn't. thats the last time i
use the f/w setup @ install btw...

anyway, the port scan showed ports 996 (xtreelic/vsinet?) and 1026
(nterm) open and listening. so i did a netstat -a and it showed an
active connection on the 996 port to a remote address. i then did a who
to see if anyone was on that shouldnt be (like another me :o) ) and
there wasnt.

i am on a dialup connection, so i took it down and immediatly checked
the /etc/passwd file to see if any users were added (there werent.) then
i hit up all my logs and nothing was out of what it should be. confused,
i launched chkrootkit with nothing found. i ran netstat -a again now
that it was off and it said there was still an active connection to a
remote machine on 996 (net is down + active connection over ppp= /me
confused)

well, enough of my whining...so here is my question:
1. what binaries should i put on a cd to use to audit better? i figured
grep, netstat, nmap, ps, who and lsof but i know there are more i am
missing

tia people!

-- 
matt b
webmaster/designer/general nice guy
http://molecule.8k.com (site still not finished)
-----BEGIN GEEK CODE BLOCK-----
version 3.12
GFA/MU/PA$ d- s+:++ a?25 C++ UL++> P++> L++> E-- W+++ N++ o? K? w O?>
M-- V? PS--- PE Y-- PGP- t- 5 X- R-- tv+ b+> DI+ D-- G++> e h! r* y-
-----END GEEK CODE BLOCK-----

• Next message: David: "Re: a (maybe faq) question..."
• Previous message: Vilmos Soti: "Re: Can I stop root reading my files"
• Next in thread: David: "Re: a (maybe faq) question..."
• Reply: David: "Re: a (maybe faq) question..."
• Reply: RainbowHat: "Re: a (maybe faq) question..."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages a (maybe faq) question... ... see if my f/w was doing any good and it wasn't. ... thats the last time i ... active connection on the 996 port to a remote address. ... i ran netstat -a again now ... (comp.os.linux.security) Re: a (maybe faq) question... ... i did a portscan to ... > see if my f/w was doing any good and it wasn't. ... > active connection on the 996 port to a remote address. ... i ran netstat -a again now ... (comp.os.linux.security) Re: a (maybe faq) question... ... i did a portscan to ... > see if my f/w was doing any good and it wasn't. ... > active connection on the 996 port to a remote address. ... i ran netstat -a again now ... (comp.os.linux.security) Re: a (maybe faq) question... ... >active connection on the 996 port to a remote address. ... Which protocol and status `netstat` was saying? ... Do you really mean "remote address" is internet not your LAN? ... partition and running `chkrootkit` with '-r' option will help you. ... (comp.os.linux.security) Re: a (maybe faq) question... ... >active connection on the 996 port to a remote address. ... Which protocol and status `netstat` was saying? ... Do you really mean "remote address" is internet not your LAN? ... partition and running `chkrootkit` with '-r' option will help you. ... (comp.os.linux.security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint