[lug] newbie question - rc.sysinit
D. Stimits
stimits at idcomm.com
Wed Jul 11 17:38:28 MDT 2001
I don't know if that file changes dates, but if someone did root your
machine, they will also be covering their tracks. Some of the common
kits include kernel modules that make the kernel lie to other programs,
and stealth themselves as well. There is probably a good chance your
machine did do the scans, but at the same time, it is also a good
possibility that someone spoofed and used your ip address. You need to
know if the version of anything connected to an open port is the most
current, else you probably were rooted. If you run ipchains, you should
run "ipchains -L -n" to see if there really are rules active (it seems
some init scripts are broken, RH's in particular, but possibly others,
and don't correctly report failed ipchains). Perhaps you could get
someone to scan your machine from the outside and find out if any
suspicious ports are open.
D. Stimits, stimits at idcomm.com
Anne George wrote:
>
> Hi,
>
> I've gotten two emails in the last two months stating that my machine was
> used to run a port scan.
> I've been searching logs, but find FTP Connection Refused message, and I've
> also looked for the Lion & Raman viruses.
> I've also check for cron jobs (weekly, monthly, etc).
> My inetd.conf has ftp enabled, everything else is commented out.
> I start sshd from rc.local.
> Below is a list of daemon that are running.
>
> Today I noticed that my rc.sysinit was dated July 5, 2001, and the email I
> just got said my machine ran a port scan on July 4, 2001.
>
> Does the date of the rc.sysinit script change?
> Is it possible that someone is spoofing my address?
>
> Any ideas how I can track this down?
>
> Thanks!!!
>
> Anne
>
> rond Automatic Running x x
> x xdhcpd Manual
> x x
> x xfirewall Enabled
> x x
> x xgated Manual
> x x
> x xgpm Automatic
> Running x x
> x xhttpd Automatic
> Running x x
> x xidentd Automatic
> Running x x
> x xinet Automatic
> Running x x
> x xinnd Manual
> x x
> x xipchains Manual
> x x
> x xirda Manual
> x x
> x xisdn Automatic
> x x
> x xkdcrotate Manual
> x x
> x xkeytable Automatic
> Running x x
> x xkrb5server Manual
> x x
> x xkudzu Automatic
> Running x x
> x xldap Manual
> x x
> x xlinuxconf Automatic
> x x
> x xlpd Automatic
> x x
> x xmars-nwe Manual
> x x
> x xmcserv Manual
> x x
> x xnamed Manual
> x x
> x xnetfs Automatic
> Running x x
> x xnetwork Automatic
> Running x x
> x xnfs Manual
> x x
> x xnfslock Automatic
> x x
> x xnscd Manual
> x x
> x xpcmcia Automatic
> x x
> x xphhttpd Manual
> x x
> x xportmap Automatic
> x x
> x xpostgresql Manual
> x x
> x xpulse Manual
> x x
> x xpvmd Manual
> x x
> x xpxe Manual
> x x
> x xrandom Automatic
> Running x x
> x xreconfig Automatic
> Running x x
> x xrouted Manual
> x x
> x xrstatd Manual
> x x
> x xrusersd Manual
> x x
> x xrwalld Manual
> x x
> x xrwhod Manual
> x x
> x xsendmail Manual
> x x
> x xserial Automatic
> Running x x
> x xsmb Manual
> x x
> x xsnmpd Manual
> x x
> x xsquid Manual
> x x
> x xsshd Automatic
> x x
> x xsyslog Automatic
> Running x x
> x xxfs Automatic
> Running x x
> x xxntpd Manual
> x x
> x xypbind Manual
> x x
> x xyppasswdd Manual
> x x
> x xypserv Manual
> x x
> x mqqqqq
>
> phone: (303) 447-2774 speak "Anne George"
> email: ageorge at goldsys.com
> **************************************************
> Gold Systems does Speech Recognition ... just speak the first and last name
> of the person you are trying to reach
> ****************************************************************************
> ************
> ****************************************************************************
> ************
> People of Altitude - www.stvrainwatchdogs.org
> "You did then what you knew how to do. When you knew better you did
> better." - Maya Angeleou
> ****************************************************************************
> ************
>
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
More information about the LUG
mailing list