Here are my log entries from this morning, which I think may have a clue as to where the zombies are coming from.
This is odd, as I didn't mount a cd in my cdrom this morning ?
Aug 28 05:49:51 cpt kernel: Attached scsi CD-ROM sr0 at scsi1, channel 0, id 0, lun 0
Aug 28 05:49:51 cpt kernel: sr0: scsi3-mmc drive: 2x/6x writer cd/rw xa/form2 cdda tray
Aug 28 05:49:51 cpt kernel: cdrom: This disc doesn't have any tracks I recognize!
This is also odd as I'm not or did I try any ftp this morning. How can I find what is spawning this ftp session?
Aug 28 05:51:01 cpt ftpd[2086]: FTP LOGIN FAILED (cannot set guest privileges) for arennes-301-1-3-138.abo.wanadoo.fr [193.252.189.138], ftp
Aug 28 05:51:06 cpt ftpd[2086]: FTP session closed
Aug 28 05:51:07 cpt ftpd[2087]: FTP session closed
Aug 28 05:51:21 cpt ftpd[2088]: FTP LOGIN FAILED (cannot set guest privileges) for arennes-301-1-3-138.abo.wanadoo.fr [193.252.189.138], ftp
Aug 28 05:51:21 cpt ftpd[2088]: FTP session closed
Aug 28 05:54:45 cpt gconfd (mchester-2045): 20 items remain in the cache after cleaning already-synced items older than 300 seconds
Aug 28 07:03:10 cpt su(pam_unix)[2368]: session opened for user root by mchester(uid=500)
Mike Manchester wrote:
> OK, for the time being I've turned off the ftp port and the ssh port on the router and this has stopped the network activity. But has created another and I can't seem to find it. I'm getting Zombies. Though I'm not sure they are realted to the attack, I
> just never had them before the attack. Anyway they seem to be reporducing about every 2 mins. Is there any way to find out process is creating these zombies? So I can get rid of them? Also how do you check a port with telnet. Some of the ones I checked
> timed out and gave me a message about the type of port it was. But one of the ports is "listening" and it won't timeout or give me back any information.
>
> Thanks
> Mike M.
>
> Brett Simpson wrote:
>
> > Maybe when you were hacked it added another daemon to run on another port other than ftp. Use a port scanner like nmap to check for any other ports being open. Once you see something odd you may be able to use telnet to check out what it responds with.
> >
> > nmap -p 1-65535 localhost
> > nmap -sU -p 1-65535 localhost
> > telnet localhost port
> >
> > >>> mchester@yahoo.com 08/27/01 03:49PM >>>
> > OK it's my fault. I was playing around with anonymous ftp and forgot to kill ftp when I
> > was done. This morning I noticed I had a lot of activity on my hub and My son was at work.
> > So I knew it was him. So looking at my logs I found this.
> > Sun Aug 26 22:10:42 2001 201 acaen-101-1-3-7.abo.wanadoo.fr 3223552
> > /data/anonymous/COM1_/SCAN/TAGG/UP/BY/PuppetMaster/Le_pactes_des_Loups_/CD1/le_pacte_des_loup_part1_(divx4.0_2_pass__AC3).00.r41
> > b _ i g ftp ftp 0 * c
> >
> > So I promptly stopped ftp and removed the abover dir. Note it wouldn't let me remove COM1_
> > dir so I deleted the whole tree /data/anonymous.
> >
> > Now my question is since ftp is no longer running and I've removed the anonymous dir why
> > does my log now showed this? The time is at least 2 hours after I shut off the anonymous
> > access.
> > Mon Aug 27 12:10:15 2001 56 acaen-101-1-3-7.abo.wanadoo.fr 906840
> > /data/anonymous/COM1_/SCAN/TAGG/UP/BY/PuppetMaster/Le_pactes_des_Loups_/CD2/le_pacte_des_loup_part2_(divx4.0_2_pass__AC3).00.r00
> > b _ i g ftp ftp 0 * c
> >
> > How can they still be xfering files that no longer exist on my system? Well at least they
> > aren't in the /data/anonymous dir tree.
> >
> > If I try to ftp to my machine using anonymous I receive this message. 530 Can't set guest
> > privileges.
> > Login failed. Which I would expect as I removed the anonymous ftp userid. So how can
> > these script kiddies still be getting in?
> >
> > And whats a good program to use to find this kind of stuff? I'm not sure how long this
> > would have went on if I hadn't noticed my hub lites working so hard.
> >
> > Thanks
> > Mike M.
> >
> > _________________________________________________________
> > Do You Yahoo!?
> > Get your free @yahoo.com address at http://mail.yahoo.com
>
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:09:20 EDT