Re: xhost worries

From: prg (rdgentry1_at_cablelynx.com)
Date: 01/03/05

  • Next message: Mikhail Zotov: "Re: small script for pulling out iptables information from log file"
    Date: 2 Jan 2005 21:16:16 -0800
    
    

    Digi wrote:
    > "prg" <rdgentry1@cablelynx.com> writes:
    >
    > > Digi wrote:
    > >> I was just looking around today and noticed that when I run
    'xhost',
    > >
    > > ie., you do this:
    > > $ xhost
    > > access control enabled, only authorized clients can connect
    > > (mine is blank ...)
    > >
    > >> I get the following output:
    > >>
    > >> access control enabled, only authorized clients can connect
    > >
    > > ie., you have not run ""xhost +"
    > >
    > >> INET:CPE-141-168-47-216.nsw.bigpond.net.au
    > >
    > > You have run "xhost + CPE-141-168-47-216.nsw.bigpond.net.au"
    > > (or someone has done it for you ;)
    > I never added that host.
    [snip]

    Afraid of that. Saw your ISP's net has an ASN located in Moscow and
    being from Boise, suspected none of the "legitiamte" reasons would
    apply :(

    You ought to double check your firewall rules and make sure nothing is
    allowed in on ports 6000-6063 (the X display ports). Not much reason
    for someone to set your xhost without opening those ports.

    Also run $xhost daily to see if anything appears again.

    Check your logs for _any_ unusual activity so you can judge just how
    far they got -- it's too late but you will learn what to watch for.
    Especially watch for outgoing packets that a trojan/backdoor may be
    sending outbound.

    If I were you, I would plan on re-installing Linux. Backup your _data_
    files so you can restore them, but under _no_ circumstances "restore"
    _any_ binary or executable files from your current disk. I wouldn't
    even restore configuration files :( though some think that's going too
    far.

    If you wanted to, you could run chkrootkit:
    http://www.chkrootkit.org/
    It may or may not turn up anything, but can be very instructive.

    You may want to bone up on securing Linux from intruders -- they've
    gotten in once and may think it's worth trying again.

    Assess your exposure now -- is anything "valuable" on your system or
    just the system itself (for zombie or laundering duty). If you are not
    "always on" with your internet connection (cable modem, eg.) you're
    better off -- buys you time to get organized for the re-install. Drop
    your connection when you are not actually on the internet (I just turn
    off the CM).

    Good luck,
    prg
    email above disabled


  • Next message: Mikhail Zotov: "Re: small script for pulling out iptables information from log file"