Re: I think I have been hacked
From: RainbowHat (nHiATlE@blSackholeP.mAit.edMu.invalid)Date: 05/30/02
- Next message: RainbowHat: "Re: I think I have been hacked .. more"
- Previous message: Iwo Mergler: "Re: IP address <--> Global Positioning System (GPS)"
- In reply to: Graham Daniell: "Re: I think I have been hacked"
- Next in thread: RainbowHat: "Re: I think I have been hacked"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: RainbowHat <nHiATlE@blSackholeP.mAit.edMu.invalid> Date: Thu, 30 May 2002 20:23:55 +0000 (UTC)
[ My snipped parts which I guess no problem. ]
< Graham Daniell
>[root@torvalds /root]# nslookup unknown
>Server: bilby.wn.com.au
>Address: 203.10.1.17
>*** bilby.wn.com.au can't find unknown: Non-existent host/domain
>(bilby is my ISP's box (proxy?))
I think it's not a proxy but a primary name server. You don't need root
privilege above commands (include my snipped parts) and it's insecure.
I worried about (DNS|hosts file) poisoning but it looks no poison.
>> su
>[root@torvalds /root]# echo $HOSTALIASES $LOCALDOMAIN
>[root@torvalds /root]#
>(any significance in the <blank line> in the above?)
I worried intruder set something but blank line is no problem.
>My son is using mIRC, v 6.01
>(appears to be the latest ver?)
Sorry, I'm not using Windoze and mIRC but I have read it before.
Google keyword "mIRC", "vulnerability" and "bugtraq" will help you.
http://www.google.com/ http://online.securityfocus.com/archive/1
http://www.mirc.co.uk/ http://www.mirc.com/
http://www.irchelp.org/irchelp/security/
>> 8< (Summary: lsof -i, netstat -rn, ps)
>- pardon? (what is the above?)
I just sniped the paragraph and left the summary :)
>Thank you for your reply, it has given me something to think about. I
>think I get the drift of what the above commands are doing, looking for
>something amis, and the outputs above seem to look innocuous to me. How
>about to you?
Welcome. Yes, above investigations looks innocuous for me. Perhaps
someone suggested that IRC server checked proxy. When you or your son
connect to IRC server, some server check auth (port 113) and port
probe to your box. Most common ports are 23, 80, 1080, 3128, 8000 and
8080.
-- Regards, RainbowHat. To spoof or not to spoof, that is the IPv4 packet. ----+----1----+----2----+----3----+----4----+----5----+----6----+----7
- Next message: RainbowHat: "Re: I think I have been hacked .. more"
- Previous message: Iwo Mergler: "Re: IP address <--> Global Positioning System (GPS)"
- In reply to: Graham Daniell: "Re: I think I have been hacked"
- Next in thread: RainbowHat: "Re: I think I have been hacked"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
