hacked

Laptop modem wLinux question
On Sat, 15 Apr 2006 17:24:41 GMT, ANC staggered into the Black Sun and said: Real Modems cost more than LoseModems. If you built laptops, which piece of hardware would...

Does your firewall allow SSH from outside ? What else is allowed ? (iptables --list shows the current firewall setup, IF you use iptables of course)

First of all: physically killing network connection is worth considering Don't trust your box even after the hostile client is disconnected. A rootkit may be planted on your box already, and-or other measures may have been taken to compromise your box. Even log and ps-top output and the likes are bound to be unreliable.

Programs like rkhunter and chkrootkit can be of help spotting such software being installed on your box. Check log files, maybe there is something useful there. nmap can be used to spot open-listening ports-apps on your box. On the local host type nmap -sV localhost -p 1-65535 to see what ports respond and which apps-services. Mine looks like this:

CEST Interesting ports on localhost (127.0.0.1): (The 65530 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 21-tcp open ftp vsFTPd 2.0.3 22-tcp open ssh OpenSSH 4.2 (protocol 2.0) 80-tcp open http Apache httpd 2.0.54 ((Fedora)) 443-tcp open ssl-http Apache httpd 2.0.54 ((Fedora)) 3306-tcp open mysql MySQL 4.1.16

Scanning another (client) host on my lan: CEST Note: Host seems down. If it is really up, but blocking our ping probes, try -P0 Nmap finished: 1 IP address (0 hosts up) scanned in 3.263 seconds

Share sound wmultiple users 901
Unruh FC4 uses udev, it has adev-dsp, several other sound-related devices like amidi, audio, dmmidi, etc. It also has a subdirdev-snd with the following content in my case...

You could check your process list to see what progs are running. I once encountered maildrop in the list which I had definitely not started. I had made a crucial error in my firewall setup that time, inadvertedly letting everything through. I ended up wiping everything, as I could not pinpoint the cuplprit anymore.

Ehh why were you logged in as root ? Coincidence ? Or especially for this cause ? Be careful!

Anyway, as said, don't trust "everything's fine type output" from any program! If however the output is alarming, (as it is from netstat), don't take those indications for false positives!

(are there legit users who log in from the web to your box using SSh ? They may also be the leak's origin)

Good luck! Sh.

List | Previous | Next

Share sound wmultiple users 901

Linux groups from Newsgroups

The #1 Usenet Provider on the Internet

Partimage Knoppix and permissions

PLEX86 x86- Virtual Machine (VM) Program


	Plex86 \| CVS \| Mailing List \| Download \| Linux \| Newsgroups

		hacked Laptop modem wLinux question On Sat, 15 Apr 2006 17:24:41 GMT, ANC staggered into the Black Sun and said: Real Modems cost more than LoseModems. If you built laptops, which piece of hardware would... x Does your firewall allow SSH from outside ? What else is allowed ? (iptables --list shows the current firewall setup, IF you use iptables of course) First of all: physically killing network connection is worth considering Don't trust your box even after the hostile client is disconnected. A rootkit may be planted on your box already, and-or other measures may have been taken to compromise your box. Even log and ps-top output and the likes are bound to be unreliable. Programs like rkhunter and chkrootkit can be of help spotting such software being installed on your box. Check log files, maybe there is something useful there. nmap can be used to spot open-listening ports-apps on your box. On the local host type nmap -sV localhost -p 1-65535 to see what ports respond and which apps-services. Mine looks like this: CEST Interesting ports on localhost (127.0.0.1): (The 65530 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 21-tcp open ftp vsFTPd 2.0.3 22-tcp open ssh OpenSSH 4.2 (protocol 2.0) 80-tcp open http Apache httpd 2.0.54 ((Fedora)) 443-tcp open ssl-http Apache httpd 2.0.54 ((Fedora)) 3306-tcp open mysql MySQL 4.1.16 Scanning another (client) host on my lan: CEST Note: Host seems down. If it is really up, but blocking our ping probes, try -P0 Nmap finished: 1 IP address (0 hosts up) scanned in 3.263 seconds Share sound wmultiple users 901 Unruh FC4 uses udev, it has adev-dsp, several other sound-related devices like amidi, audio, dmmidi, etc. It also has a subdirdev-snd with the following content in my case... You could check your process list to see what progs are running. I once encountered maildrop in the list which I had definitely not started. I had made a crucial error in my firewall setup that time, inadvertedly letting everything through. I ended up wiping everything, as I could not pinpoint the cuplprit anymore. Ehh why were you logged in as root ? Coincidence ? Or especially for this cause ? Be careful! Anyway, as said, don't trust "everything's fine type output" from any program! If however the output is alarming, (as it is from netstat), don't take those indications for false positives! (are there legit users who log in from the web to your box using SSh ? They may also be the leak's origin) Good luck! Sh. List \| Previous \| Next



		Share sound wmultiple users 901 Linux groups from Newsgroups The #1 Usenet Provider on the Internet Partimage Knoppix and permissions