Re: a (maybe faq) question...
From: Matt B. (root@ubergeek.localdomain)Date: 05/28/02
- Previous message: Jerry Peters: "Re: Port 515"
- In reply to: RainbowHat: "Re: a (maybe faq) question..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Matt B." <root@ubergeek.localdomain> Date: Tue, 28 May 2002 21:44:46 GMT
RainbowHat wrote:
>
> < matt
>
> 8< (RH7.2)
>
in the begining i couldnt get fbsd to install...so i got rh and hooked
it up. besides, it's better than some options (corel linux, any m$
product)
<snip>
> You can see process name using `netstat -anp` or `/usr/sbin/lsof -n -i`
> with root. Which protocol and status `netstat` was saying? Is it
> `sgi_fam`? Are there unfamiliar process like '[mingetty]' (Note:
> quoted square bracket)? Are there unfamiliar files in /tmp like
> `ls -l /tmp/.h*`? If protocol is TCP;
>
> telnet 127.0.0.1 996
i did see [mingetty] on there. i telnet'd to the port, and it accepted
my connection, but there wouldnt let me do anything...:(
/tmp had nothing out of the ordenary
<snip>
> Do you really mean "remote address" is internet not your LAN?
yes. my lan is 10.0.0, this was 209.
> Perhaps
> status was FIN_WAIT1|2, CLOSE_WAIT or TIME_WAIT. Or ESTABLISHED but
> waiting for establishment timeout.
>
could have been established but waiting. but the net had been down like
10 minutes, so my guess (as a newb anyway) is a compromised netstat
<snip>
> If rootkit is LKM or shared library type, copying from CD-ROM is
> ineffective. Rebooting from CD-ROM with rescue mode, mounting this
> partition and running `chkrootkit` with '-r' option will help you.
>
> ./chkrootkit -x -r _mount_point_
>
> If not above, here is README file from chkrootkit-0.35.
> |chkrootkit uses the following commands to make its tests: awk, cut,
> |egrep, find, head, id, ls, netstat, ps, strings, sed, uname. It is
> |possible, with the `-p' option, to supply an alternate path to
> |chkrootkit so it won't use the system's (possibly) compromised
> |binaries to make its tests.
>
> ./chkrootkit -x -p _clean_binary_directory_
>
> --
> Regards, RainbowHat. To spoof or not to spoof, that is the IPv4 packet.
> ----+----1----+----2----+----3----+----4----+----5----+----6----+----7
thanks for your help. it wasnt an rstb trojan, and s/he took the time to
forge some proper looking logs, so i am just going to clean install
tonight. build a better f/w this time :0)
-- no sig, as i am not on my computer
- Next message: Walter Dnes: "Re: IP address <--> Global Positioning System (GPS)"
- Previous message: Jerry Peters: "Re: Port 515"
- In reply to: RainbowHat: "Re: a (maybe faq) question..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
