[cobalt-users] weird /local/local/portsentry ipchains happening

[Jim Dory <engineer@xxxxxxxxxxxxx>]

So an inhouse user was complaining that she could not connect to the 
server or email and I took a look at /var/log/messages

It said:

Nov 20 16:01:42 raq portsentry[1290]: attackalert: ERROR: cannot open 
ignore file.
Blocking host anyway.
Nov 20 16:01:42 raq portsentry[1290]: attackalert: Connect from host: 
xxx.xxx.xxx.243
/xxx.xxx.xxx.243 to UDP port: 161
Nov 20 16:01:42 raq portsentry[1290]: adminalert: ERROR: Cannot open 
blocked file:
/usr/local/psionic/portsentry/portsentry.blocked.udp for reading. Will 
create.
Nov 20 16:01:42 raq portsentry[1290]: attackalert: Host xxx.xxx.xxx.243 
has been blocked via wrappers with string: "ALL: xxx.xxx.xxx.243"
Nov 20 16:01:42 raq portsentry[1290]: attackalert: Host xxx.xxx.xxx.243 
has been blocked via dropped route using command: "/sbin/ipchains -I 
input -s xxx.xxx.xxx.243 -j DENY -l"

So I went to look at portsentry and found that another /local directory 
had been added. Now I've done some dumb things but don't see how I would 
have done this.  So everything in /usr/local was moved to 
/usr/local/local.  I moved everything back to /usr/local.

I don't know anything yet about ipchains so I just wrote out that last 
line and inserted ACCEPT instead of DENY. Not sure the proper way to do 
it. Maybe there's a way to just delete the DENY statement.

But the computer connects again. I ran chkrootkit and it said bindshell 
was infected but when I turned off portsentry it was negative. I didn't 
realize I had ipchains running, but maybe it is something portsentry does?

Anyone know what I should do next or check for? Things seem to be 
working but I wonder what the heck happened.

cheers,

--
Jim D.