Despite all the debate, This is for sure that the system is being comrpomised by some sort of rootkit, but this is not the point here to prove that the system is compromised with a rootkit or not. What I am trying to do is that to see and gather the information about the binaries replaced on the system and try to avoind all such things in the future. This might be helpfull for maybe others in case the same guy tries to ./h4x0r some other box. rpc.statd and linuxconf web access is stopped as the init scripts. I see a file in /dev/data/scaner with attrivutes, crwx--x--x This c attribute makes is suspicious. This is not a regular /dev entry and it is also 0 byte file. So can't view it or see it with strings. The rest of the thing is that I get a new copy of all the netstat, lsof and other similar tools and get a close look of the binaries. The purpose of posting this here was just to save time from examining all the files. Thats all .. Naseer ----- Original Message ----- From: "dewt" <dewtat_private> To: "Naseer Bhatti" <naseerat_private>; "Incidents" <incidentsat_private> Sent: Friday, October 26, 2001 11:13 PM Subject: Re: Strange Behaviour ! > On Friday 26 October 2001 12:47 pm, Naseer Bhatti wrote: > > [...] > > and finaly I am posting this to Incodents > > [...] > > > > Hi, I am administrating a Linux box running RedHat 7.1 with 2.4.2-2 kernel. > > Infact it's my fiend's box..anyway.. I noticed strange behaviour on the > > system. First of all strange ports are opened and the system is also on > > some sort of Firewall. Let me explain in detail. > > > > My Observations ... > > > > Active Internet connections (servers and established) > > Proto Recv-Q Send-Q Local Address Foreign Address State > > tcp 0 0 0.0.0.0:32768 0.0.0.0:* LISTEN > > tcp 0 0 0.0.0.0:98 0.0.0.0:* LISTEN > > > > [...] > > > > like this is the output of netstat -an. I see here port 32768 listening oon > > but can't find any data when telnet 0 32768. This port seems to be > > something like > > > the one on port 32768 is rpc.statd (to stop it from running do > /etc/rc.d/init.d/nfslock stop) and is normal to be there, the second is the > linuxconf web port which will only be on if you have that turned on (to stop > it do /etc/rc.d/init.d/linuxconf stop) that will only stop it temporarily, to > stop it permanetly run ntsysv and deselect them from the list (use space to > do that) > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Oct 26 2001 - 11:52:43 PDT