UPDATE!! (was Re: Have I been compromised? chkrootkit: "Warning: Possible LKM Trojan installed" - nmap: "port 1313 open")
From: Tom (northofthecold_at_yahoo.com)
Date: 11/14/03
- Next message: jim_patterson: "Re: Been hacked"
- Previous message: Dale Dellutri: "Re: Been hacked"
- Next in thread: /dev/rob0: "Re: UPDATE!! (was Re: Have I been compromised? chkrootkit: "Warning: Possible LKM Trojan installed" - nmap: "port 1313 open")"
- Reply: /dev/rob0: "Re: UPDATE!! (was Re: Have I been compromised? chkrootkit: "Warning: Possible LKM Trojan installed" - nmap: "port 1313 open")"
- Reply: Sam Miller: "Re: UPDATE!! (was Re: Have I been compromised? chkrootkit: "Warning: Possible LKM Trojan installed" - nmap: "port 1313 open")"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 14 Nov 2003 11:26:02 -0800
Update:
OK, I don't have portsentry installed.
Today, after getting a full night's rest, and finding the referrenced
posting on uk.comp.os.linux, I did a ps.
Part of it shows:
root 1 0.0 0.0 84 52 ? S Oct30 0:20 init [5]
root 2 0.0 0.0 0 0 ? SW Oct30 0:14 [keventd]
root 0 0.0 0.0 0 0 ? SWN Oct30 0:01 [ksoftirqd_CPU0]
root 0 0.0 0.0 0 0 ? SW Oct30 2:32 [kswapd]
root 0 0.0 0.0 0 0 ? SW Oct30 0:05 [bdflush]
root 0 0.0 0.0 0 0 ? SW Oct30 2:50 [kupdated]
root 8 0.0 0.0 0 0 ? SW Oct30 0:01 [kreiserfsd]
root 65 0.0 0.0 0 0 ? SW Oct30 0:00 [khubd]
root 136 0.0 0.0 0 0 ? SW Oct30 0:05 [pagebufd]
root 137 0.0 0.0 0 0 ? SW Oct30 0:00 [xfslogd/0]
root 138 0.0 0.0 0 0 ? SW Oct30 0:00 [xfsdatad/0]
I count four processes there. That's how many chkrootkit is
complaining about.
Why wouldn't I have chkproc? I have chkrootkit installed...
However, one unsettling thing is that when I open a 'virtual terminal'
by pressing control+alt+f2 or f3, and I do ifdown and ifup, I get the
following strange results:
ifdown -a says "eth0: Promiscuous mode enabled.", which doesn't make
sense, cuz the interface is going down... and ifup -a says "eth0:
Setting half-duplex based on auto-negotiated partner ability 0000",
Followed by *six* lines of eth0: Promiscuous mode enabled.
So, I feel like I'm clean, but then what the heck is running on port
1313?
- Next message: jim_patterson: "Re: Been hacked"
- Previous message: Dale Dellutri: "Re: Been hacked"
- Next in thread: /dev/rob0: "Re: UPDATE!! (was Re: Have I been compromised? chkrootkit: "Warning: Possible LKM Trojan installed" - nmap: "port 1313 open")"
- Reply: /dev/rob0: "Re: UPDATE!! (was Re: Have I been compromised? chkrootkit: "Warning: Possible LKM Trojan installed" - nmap: "port 1313 open")"
- Reply: Sam Miller: "Re: UPDATE!! (was Re: Have I been compromised? chkrootkit: "Warning: Possible LKM Trojan installed" - nmap: "port 1313 open")"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
