[lug] newbie question - rc.sysinit

Timothy C. Klein teece at silverklein.net
Thu Jul 12 00:16:41 MDT 2001 

On Wednesday 11 July 2001 03:48 pm, Anne George wrote:
> Hi,
>
> I've gotten two emails in the last two months stating that my machine was
> used to run a port scan.


What kind of port scans?  Have you ruled out a misconfigured or buggy 
program?  I know that when I goof something up on one of my machines, Snort 
will sometimes detect my mistakes as attacks, but they aren't acutally 
malicious.  When I didn't pay attention to samba or nfs setups, I was told on 
machine A that machine B (both my machines) had attempted a Chameleon Buffer 
overflow attack (I don't even know what that is), and RPC attacks, from what 
I remember.  These scans did really happen, but they weren't because I was 
cracked and being used as a zombie.  Rather, they were results of my own 
mistakes.

So definately check that out.  If your machine has indeed been cracked, 
though, there may very well be no easy way to detect it now.  If the attacker 
were any good at all, they will be doing things to hide their tracks (eg, top 
and ps won't show the evil processes, ls won't show the bad guys' files, 
etc.)  A full security audit, and quite possibley a complete reinstall would 
be in order if you can track it down to a crack.

Search for files that belong to strange owners, or that have been changed 
recently but you can't figure out why.  If your machine has been cracked, you 
might need new, trusted copies of basic utilities to even find this stuff ( 
eg, download the source code and complile it yourself for findutils, and use 
the freshly compiled version of find).  Also try the programs 'lsof' (list of 
open files) and tcpdump.  The first gives you a list of all open files and 
network connections.  See if you can track them all down (which can be 
challenging).  tcpdump puts your ethernet card in promiscus mode and logs all 
packets flying around.  See if you can find any bizzare packets that can't be 
accounted for.

This can all be hard at first though.  It can be hard to even know what to 
look for, even with these tools help.  Try the man pages, and back on the 
list if you need more help.  Good luck.

HTH, Tim



> phone:              (303) 447-2774  speak "Anne George"
> email:                ageorge at goldsys.com
> **************************************************
> Gold Systems does Speech Recognition ... just speak the first and last name
> of the person you are trying to reach
> ***************************************************************************
>* ************
> ***************************************************************************
>* ************
> People of Altitude - www.stvrainwatchdogs.org
> "You did then what you knew how to do.  When you knew better you did
> better."   - Maya Angeleou
> ***************************************************************************
>* ************
>
>
> _______________________________________________
> Web Page:  http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug

-- 
==============================================
== Timothy Klein || teece at silverklein.net   ==
== ---------------------------------------- ==
== "Hello, World" 17 Errors, 31 Warnings... ==
==============================================

More information about the LUG mailing list