[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[cobalt-users] RaQ4 R - Hack? Open port 1024, hbci and mIRFFOPRCE-2 Help needed
- Subject: [cobalt-users] RaQ4 R - Hack? Open port 1024, hbci and mIRFFOPRCE-2 Help needed
- From: "Hans Hoefer" <hans@xxxxxxxxx>
- Date: Sat May 4 00:00:01 2002
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
Hi,
I think I'm hacked.
When the hacker is activ I have no access to the shell (No telnet, no
ssh) and the whole system (ftp, web-access)is as slow as h... When he is
gone everything works fine.
Now I have "top" running around the clock and it showed me
that there was a strange process activ: mIRKFORCE-2
Searching Google I found out:
http://www.netsys.com/suse-linux-security/2002/01/msg00645.html
http://hackreport.magicnet.org/mirkforce-info.html
I also found out: /usr/local/bin/portscan was installed on my machine
A portscan showed that these ports are open:
1024 Reserved ? (Hacker Port ?)
3000 HBCI or RemoteWare Client (HBCI = Home Banking Computer
Interface, it listens on port 3000 and works with a 768 bit key)
3001 Redwood Broker (Game Port? Hacker Port?)
I found in the logs:
May 3 13:43:02 dns1 .xffs[31821]: log: Generating new 768 bit RSA key.
May 3 13:43:02 dns1 .xffs[31821]: log: RSA key generation complete.
What's going on and how can I fight the intruder. The logs showed me
ip's from Japan and Taiwan
How can I block their ip's.
I have no knowledge about Linux. If I can get help from one of you I'd
need detailed help about the commands.
Can someone help me with this, please.
Hans Hoefer
--
hans@xxxxxxxxx