[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] Have I been hacked?
- Subject: RE: [cobalt-security] Have I been hacked?
- From: "Simon Wilson" <simon@xxxxxxxxxxxxx>
- Date: Wed, 9 Jan 2002 15:48:23 -0000
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
I have run a portscan from outside the box now and these are the results.
(Took me long enough...)
xxx.xx.xx.xxx :13782 - bpcd -- open
xxx.xx.xx.xxx :13722 - bpjava-msvc -- open
xxx.xx.xx.xxx :3306 - mysql -- open
xxx.xx.xx.xxx :3001 - nessusd -- open
xxx.xx.xx.xxx :3000 - hbci -- open
xxx.xx.xx.xxx :444 - snpp -- open
xxx.xx.xx.xxx :143 - imap -- open
xxx.xx.xx.xxx :110 - pop-3 -- open
xxx.xx.xx.xxx :81 - hosts2-ns -- open
xxx.xx.xx.xxx :80 - http -- open
xxx.xx.xx.xxx :53 - domain -- open
xxx.xx.xx.xxx :52 - xns-time -- open
xxx.xx.xx.xxx :25 - smtp -- open
xxx.xx.xx.xxx :21 - ftp -- open
ftp should be OK because it denies everyone in hosts.deny and allows only me
in hosts.allow.
nessusd - well what can I say, I installed it then couldn't work out how to
use it or switch it off!!!
mysql is OK
pop-3, http, smtp all things we need.
As for the rest I don't know what they are or if there OK? Any thoughts on
whether any of these are suspicious greatly appreciated.
Also as I suspect we have been hacked but can find no evidence on our
regular chkrootkit run or any change in bandwidth usage where else and what
else should I be looking for? Because that tripwire report is still worrying
the hell out of me.
Regards
Simon