Re: [SLUG] OK it's my faul - Help I've been hacked

From: bill triplett (btt@nethouse.com)
Date: Tue Aug 28 2001 - 10:08:47 EDT

Next message: Brett Simpson: "Re: [SLUG] OK it's my faul - Help I've been hacked"
Previous message: Miller, Matt: "RE: [SLUG] OK it's my faul - Help I've been hacked"
In reply to: Mike Manchester: "Re: [SLUG] OK it's my faul - Help I've been hacked"
Next in thread: Grantham, Patrick: "RE: [SLUG] OK it's my faul - Help I've been hacked"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Tue, Aug 28, 2001 at 06:39:33AM -0400, Mike Manchester wrote:
> OK, for the time being I've turned off the ftp port and the
> ssh port on the router and this has stopped the network
> activity. But has created another and I can't seem to find
> it.

Is the router set on full two-way NAT for that machine... where
it translates all incoming traffic to the hacked box? Or is it
set for just forward certain, specified ports to that hacked box?
If is the former then it might be a good idea to just disconnect
that machine from the internet, they could have ports open besides
ssh and ftp, like a portshell or something. If they portshell in
and realize that you're on to them, they might start covering their
tracks ala rm -rf /

If you are dynamically ip'd and can force the router to re-IP itself,
that would not be a bad idea either.

Sounds like that process is being run and re-run from inittab. Check
/etc/inittab for weird stuff. Usually at the end.

If they altered inittab, then they had root and probably installed
trojan's binaries while they were at it. That means the output of
stuff like ps, netstat, ls, etc is probably not accurate.

lsof is a pretty good utility for checking stuff and is not
_generally_ trojaned by rootkits. you could try comparing the
output of

netstat --inet --listen
with
lsof | grep LISTEN

lsof will give you process names bound to the ports, too.

and see if any extra ports show up. If more, different ports show
up under lsof than netstat, then they have mucked around with who
knows what... it is better to wipe and reinstall, unfortunately.

lsof (if it is not trojaned) will also list open files , the list
of open files is handy for checking if any strange processess are
writing to any files... like a password sniffer saving its output.

> Is there any way to find out process is creating these
> zombies?

ps axf gives a tree-like view of processess and their parents.
a 'Z' in the STAT column means zombie

> So I can get rid of them? Also how do you check a
> port with telnet. Some of the ones I checked timed out and
> gave me a message about the type of port it was. But one of
> the ports is "listening" and it won't timeout or give me
> back any information.

telnet <host> <port>

Next message: Brett Simpson: "Re: [SLUG] OK it's my faul - Help I've been hacked"
Previous message: Miller, Matt: "RE: [SLUG] OK it's my faul - Help I've been hacked"
In reply to: Mike Manchester: "Re: [SLUG] OK it's my faul - Help I've been hacked"
Next in thread: Grantham, Patrick: "RE: [SLUG] OK it's my faul - Help I've been hacked"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:09:31 EDT