Xterm

From: Yahoo - CQRMail (cqrmailat_private)
Date: Thu Oct 25 2001 - 18:58:05 PDT

  • Next message: Chris Arnold: "TCP/2484"

    My snort IDS picked up a bunch of X11 signatures:
    http://www.whitehats.com/info/ids126
    Source IP is a random public address, Source port is 6000...random
    destination inside ports.
    
    I have blocked 6000 at the firewall, but I don't know where to begin
    tracking down what is compromised on the server. I am running Mandrake 8,
    only ports allowed are 80 and 22...xdm has been disabled.
    
    I didn't see much in the logs, so where should I begin? and what should I
    look for?
    
    I will probably rebuild the server, but I would like to see if I can find
    out what has been down first, so I can be prepared later...
    
    TIA...new to linux, so I apologize for my crude question,
    Tony
    
    
    _________________________________________________________
    Do You Yahoo!?
    Get your free @yahoo.com address at http://mail.yahoo.com
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri Oct 26 2001 - 08:37:30 PDT