[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
SV: [cobalt-security] bindshell'... INFECTED (PORTS: 1524 31337)
- Subject: SV: [cobalt-security] bindshell'... INFECTED (PORTS: 1524 31337)
- From: "Kai r. s., euroweb as" <kai@xxxxxxxxxx>
- Date: Sun, 9 Dec 2001 23:08:43 +0100
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi, and Thanks Michael
I will have a go for this. I must admit that I am a newbie and would be glad
if somone could tell me a little spesefict how to do this:
>You can use LSOF (grab the RH6.2 RPM for i386 and bring it onto
> the machine)
Thanks to the people answering on this lists. I learn something every day
(not least from you Michael).
Takk/Thanks/Danke
Kai R S
> Hi Kai,
>
> > bindshell'... INFECTED (PORTS: 1524 31337)
>
> > I could need some help with what this exactly means ? Also how
> to trace it
> > and fix it..
>
> bring an uncompromised "netstat" on the machine and when you run "netstat
> -anp|grep LISTEN" you'll see that a shell has been bound to the
> ports listed
> above. Connecting to those an attacker can gain root access on
> your machine
> without authorization.
>
> You can use LSOF (grab the RH6.2 RPM for i386 and bring it onto
> the machine)
> to find out which processes are responsible for this.
>
> But I'd look at the following places:
>
> /etc/inetd.conf
> /etc/rc.d/rc.local
> /etc/rc.d/rc.sysinit
>
> If that search turns out blank, then check the rest of the init
> scripts in
> /etc/rc.d/init.d/ for suspicious additions.
>
> Does chkrootkit show that any of the system binaries has been replaced?
>
> --
>
> With best regards,
>
> Michael Stauber
> Linux/Unix Support Engineer
> SOLARSPEED.NET
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>