Re: Xterm

From: dewt (dewtat_private)
Date: Fri Oct 26 2001 - 11:09:00 PDT

  • Next message: dewt: "Re: Strange Behaviour !"

    On Thursday 25 October 2001 08:58 pm, Yahoo - CQRMail wrote:
    > My snort IDS picked up a bunch of X11 signatures:
    > Source IP is a random public address, Source port is 6000...random
    > destination inside ports.
    > I have blocked 6000 at the firewall, but I don't know where to begin
    > tracking down what is compromised on the server. I am running Mandrake 8,
    > only ports allowed are 80 and 22...xdm has been disabled.
    > I didn't see much in the logs, so where should I begin? and what should I
    > look for?
    > I will probably rebuild the server, but I would like to see if I can find
    > out what has been down first, so I can be prepared later...
    > to linux, so I apologize for my crude question,
    > Tony
    the snort rule for it is pretty vague and looks prone to false positives, it 
    could just have been legitmate traffic, but of course you should still look 
    into it, try using nmap or some other scanner on one of the machines and see 
    if port 6000 is open on that. also look in your /etc/shadow and /etc/passwd 
    for accounts that shouldnt be there or accounts with passwords that shouldn't 
    have them, also look in the .ssh directory in each users home directory and 
    see if any of them have a authorized_keys2 file, if they do that's bad unless 
    you set that up =P
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Fri Oct 26 2001 - 11:12:14 PDT