[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] bindshell'... INFECTED (PORTS: 1524 31337)
- Subject: Re: [cobalt-security] bindshell'... INFECTED (PORTS: 1524 31337)
- From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
- Date: Sun, 9 Dec 2001 21:34:42 +0100
- Organization: Stauber Multimedia Design
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi Kai,
> bindshell'... INFECTED (PORTS: 1524 31337)
>
> I could need some help with what this exactly means ? Also how to trace it
> and fix it..
bring an uncompromised "netstat" on the machine and when you run "netstat
-anp|grep LISTEN" you'll see that a shell has been bound to the ports listed
above. Connecting to those an attacker can gain root access on your machine
without authorization.
You can use LSOF (grab the RH6.2 RPM for i386 and bring it onto the machine)
to find out which processes are responsible for this.
But I'd look at the following places:
/etc/inetd.conf
/etc/rc.d/rc.local
/etc/rc.d/rc.sysinit
If that search turns out blank, then check the rest of the init scripts in
/etc/rc.d/init.d/ for suspicious additions.
Does chkrootkit show that any of the system binaries has been replaced?
--
With best regards,
Michael Stauber
Linux/Unix Support Engineer
SOLARSPEED.NET