Re: xhost worries
From: prg (rdgentry1_at_cablelynx.com)
Date: 2 Jan 2005 21:16:16 -0800
> "prg" <email@example.com> writes:
> > Digi wrote:
> >> I was just looking around today and noticed that when I run
> > ie., you do this:
> > $ xhost
> > access control enabled, only authorized clients can connect
> > (mine is blank ...)
> >> I get the following output:
> >> access control enabled, only authorized clients can connect
> > ie., you have not run ""xhost +"
> >> INET:CPE-141-168-47-216.nsw.bigpond.net.au
> > You have run "xhost + CPE-141-168-47-216.nsw.bigpond.net.au"
> > (or someone has done it for you ;)
> I never added that host.
Afraid of that. Saw your ISP's net has an ASN located in Moscow and
being from Boise, suspected none of the "legitiamte" reasons would
You ought to double check your firewall rules and make sure nothing is
allowed in on ports 6000-6063 (the X display ports). Not much reason
for someone to set your xhost without opening those ports.
Also run $xhost daily to see if anything appears again.
Check your logs for _any_ unusual activity so you can judge just how
far they got -- it's too late but you will learn what to watch for.
Especially watch for outgoing packets that a trojan/backdoor may be
If I were you, I would plan on re-installing Linux. Backup your _data_
files so you can restore them, but under _no_ circumstances "restore"
_any_ binary or executable files from your current disk. I wouldn't
even restore configuration files :( though some think that's going too
If you wanted to, you could run chkrootkit:
It may or may not turn up anything, but can be very instructive.
You may want to bone up on securing Linux from intruders -- they've
gotten in once and may think it's worth trying again.
Assess your exposure now -- is anything "valuable" on your system or
just the system itself (for zombie or laundering duty). If you are not
"always on" with your internet connection (cable modem, eg.) you're
better off -- buys you time to get organized for the re-install. Drop
your connection when you are not actually on the internet (I just turn
off the CM).
email above disabled