[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] Security Problems

hello i got caught with ssh 
to kill it i run.

top -n 1 | grep ssh
# above returns the top line containing the ssh process then got the pid and

kill xxxx

i am guessing the other 2 processes u have running arent in inted.conf so can
also be killed by the pid
best wishes gerald y


On Sun, 01 Jul 2001, you wrote:
> Thanks for the suggestion!  I installed nmap and ran it with the commandline
> "nmap -p 1-65535 216.219.239.8" and it returned the following:
> 
>   Starting nmap V. 2.53 by fyodor@xxxxxxxxxxxx ( www.insecure.org/nmap/ )
>   Interesting ports on  (216.219.239.8):
>   (The 65532 ports scanned but not shown below are in state: closed)
>   Port       State       Service
>   22/tcp     open        ssh
>   53/tcp     open        domain
>   1501/tcp   open        sas-3
> 
>   Nmap run completed -- 1 IP address (1 host up) scanned in 12 seconds
> 
> These ports aren't included in the list shimi gave.  Can I just go into the
> services file and remove them?  What can I do to shut these off and what
> happens if none of these ports is the problem?
> 
> 
> DJ Busch
> 
> -----Original Message-----
> From: cobalt-users-admin@xxxxxxxxxxxxxxx
> [mailto:cobalt-users-admin@xxxxxxxxxxxxxxx]On Behalf Of shimi
> Sent: Saturday, June 30, 2001 2:14 PM
> To: Cobalt List
> Subject: Re: [cobalt-users] Security Problems
> 
> 
> 
> On Sat, 30 Jun 2001, DJ Busch wrote:
> 
> > I have recently begun receiving e-mails regarding scans apparently
> > originating from my system.  I'm being told that my server
> (216.219.239.87)
> > is conducting port scans on other computers, but I can't figure out why.
> >
> > I'm not sure which log to look into or what to look for to find proof that
> > someone is using my RAQ as a gateway or spoofing my IP address.  There
> must
> > be a way I can detect this and bring it to a swift end, as I'm at my wits
> > end trying to figure it out.
> >
> 
> spoofing? no... you can spoof the source of data, but you can't *scan* or
> *connect* to machines with that, for a simple reason - the target is
> returned answers to the spoofed address and not to you...
> 
> I would run a portscan on your machine, using nmap
> (http://freshmeat.net/projects/nmap) (on a *nix box)
> 
> (run a full scan, from port 1 to 65535)
> and see what's open:
> 
> you should have, on normal configuration, only:
> 
> 21 - ftp
> 23 - telnet
> 25 - smtp (sendmail transport agent)
> 80 - webserver
> 81 - admin server
> 110 - pop3 (mail recieving)
> 143 - imap (Interim Mail Access Protocol)
> 443 - webserver SSL access
> 444 - admin server (although nobody still figured why it uses that port)
> 
> that's all, i think
> 
> also try chkrootkit:
> http://www.chkrootkit.org/
> 
> there are more, which I don't recall.
> search for "/bin/sh" in /etc/inetd.conf
> 
> and search the mailing list archives.... (look at the signature of this
> email)
> 
> > Any help would be GREATLY appreciated in this matter, and the faster the
> > better.
> >
> that's a start :)
> >
> > DJ Busch
> > webmaster@xxxxxxxxxxxxx
> >
> - shimi.
> 
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
> 
> _______________________________________________
> cobalt-users mailing list
> cobalt-users@xxxxxxxxxxxxxxx
> To Subscribe or Unsubscribe, please go to:
> http://list.cobalt.com/mailman/listinfo/cobalt-users
-- 
Gerald Young    www.coolcat.net
 www.coolcoach.net - THE HOTTEST WAY TO LEARN -
-------------------------------------------------------------
Localhost: 10:23am  up 14:27,  3 users,  load average: 0.37, 0.10, 0.03
    Server:  5:47pm  up 343 days,  1:09,  1 user,  load average: 0.08, 0.02, 0.01

Word .doc's not accepted and automatically deleted