need help with root hack 1050
Schraalhans Keukenmeester ..snip..
I read your little web site voting thing. You do understand that Social Security IS NOT a...
Thanks Stan. Great idea. Here's my dmidecode result: # dmidecode 2.2 SMBIOS 2.3 present. 43 structures occupying 1783 bytes. Table at 0x000F8EB0. Handle 0x0000 DMI type 0, 20 bytes. BIOS Information Vendor...
Yeah, I'm going to rebuild the box. =Think Slackware is any more secure out-of-the-box? FC4?
To be honest, I have no recolection of if I created it or not. If I did, it probably didn't have a good pbuttword. (*thud*) I have no idea what my firewall rules look like. =( I once looked into IPTABLES and it was like having to learn a whole new language, and not a friendly one either. I just used the built-in Fedora Core firewall manager and only had ports 22 and 80 open.
Fortunately I do know enough to have in myetc-sshdconfig: PermitRootLogin no AllowUsers liam duane
So, that's a not bad thing I guess. But, how do I check what services I have running on open ports??
Yeah, before I removed the testuser home dir and that hidden folder in tmp, I copied them over toroot so I could look at them. I'll move them somewhere off the PC. Now if I could only really understand what it's telling me. =
Uhm, OK. I used grc.com's ShieldsUp and according to it, only 22 and 80 are open to the outside. All else is "stealthed." I'll see what I can do about nmap from the outside.
-able rpms I believe) can
Well, I ran chkrootkit and got this: a LOT of entied labeled "not infected" and the like, and then...
Checking `chkutmp'... The tty of the following user process(es) were not found invar-run-utmp ! ! RUID PID TTY CMD ! root 3128 tty4 sbin-mingetty tty4 ! root 3134 tty5 sbin-mingetty tty5 ! root 3140 tty6 sbin-mingetty tty6 chkutmp: nothing deleted ROOTDIR is `-' Checking `ps'... not infected Checking `ls'... not infected Checking `sniffer'... eth0: PFPACKET(-usr-local-bin-snort)
I don't understand the tty thing. Is that good or bad?
rkhunter (these are cool programs!) and it came up with: .. * Application version scan - GnuPG 1.2.4 OK - Apache 2.0.51 Old or patched version - Bind DNS 9.2.3 OK - OpenSSL 0.9.7a Old or patched version - PHP 4.3.10 Old or patched version - Procmail MTA 3.22 OK - OpenSSH 3.6.1p2 Old or patched version .. ---------------------------- Scan results ----------------------------
MD5 MD5 compared: 49 Incorrect MD5 checksums: 0
File scan Scanned files: 342 Possible infected files: 0
Application scan Vulnerable applications: 4
Now, you mentioned bash was replaced... htat didn't seem to detect that. Yikes. =(
Load of really wacked out manic stuff clipped to save bandwidth at 60 bauds while using Western Electric KSR-33 teletype terminal} Well, Dear Morpheus -- may I call you...
I'm looking into tripwire for the new install. Still I wonder, which will be the more useful and secure for the Linux security newbie like me. FC 4 or Slackware 10.2. =
Thanks for all the help! This is a lot of great advice and information!!
BTW, I ran chkrootkit on another server in a different WAN, and got:
Hi Schraalhans, Yes you're right. I checked the man pages for halt & shutdown and found that unless the system...
warning, got duplicate tcp line. warning, got duplicate tcp line.
warning, got duplicate tcp line. warning, got duplicate tcp line. warning, got duplicate tcp line. warning, got duplicate tcp line. warning, got duplicate tcp line. warning, got duplicate tcp line. warning, got duplicate tcp line. warning, got duplicate tcp line. warning, got duplicate tcp line. INFECTED (PORTS: 31337)
What can you tell me about these findings? What is a duplicate TCP line? And more importantly, how can I find out what's going on with port 31337! ("elite." Cute. Not.)
THANKS!! -Liam
Is Linux Being Funded By the Left Wing Homoloveual Agenda
Linux groups from Newsgroups