[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Security Problems
- Subject: Re: [cobalt-users] Security Problems
- From: shimi <shimi@xxxxxxxxxxxxxxxx>
- Date: Sat Jun 30 06:12:52 2001
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
On Sat, 30 Jun 2001, DJ Busch wrote:
> I have recently begun receiving e-mails regarding scans apparently
> originating from my system. I'm being told that my server (216.219.239.87)
> is conducting port scans on other computers, but I can't figure out why.
>
> I'm not sure which log to look into or what to look for to find proof that
> someone is using my RAQ as a gateway or spoofing my IP address. There must
> be a way I can detect this and bring it to a swift end, as I'm at my wits
> end trying to figure it out.
>
spoofing? no... you can spoof the source of data, but you can't *scan* or
*connect* to machines with that, for a simple reason - the target is
returned answers to the spoofed address and not to you...
I would run a portscan on your machine, using nmap
(http://freshmeat.net/projects/nmap) (on a *nix box)
(run a full scan, from port 1 to 65535)
and see what's open:
you should have, on normal configuration, only:
21 - ftp
23 - telnet
25 - smtp (sendmail transport agent)
80 - webserver
81 - admin server
110 - pop3 (mail recieving)
143 - imap (Interim Mail Access Protocol)
443 - webserver SSL access
444 - admin server (although nobody still figured why it uses that port)
that's all, i think
also try chkrootkit:
http://www.chkrootkit.org/
there are more, which I don't recall.
search for "/bin/sh" in /etc/inetd.conf
and search the mailing list archives.... (look at the signature of this
email)
> Any help would be GREATLY appreciated in this matter, and the faster the
> better.
>
that's a start :)
>
> DJ Busch
> webmaster@xxxxxxxxxxxxx
>
- shimi.