Before I started all the modifications and searching that I have read about
I would ask myself:
What this machine is used for?
How easy would it be to do a complete reinstall?
How long is it going to take me to clean up this mess if I do not reinstall?
If the answer to the first is nothing crucial then the answer to the second
is about 4 hours and most of that you can spend watching TV.
Frank
On Tuesday 28 August 2001 10:48 am, Brett Simpson wrote:
> One command shows your open TCP ports and the other shows your open UDP
> ports.
>
> >>> pwgrant@yahoo.com 08/27/01 10:12PM >>>
>
> Why do the two commands give slightly different results on the same box?
> ----- Original Message -----
> From: "Brett Simpson" <Simpsonb@hillsboroughcounty.org>
> To: <slug@nks.net>; <mchester@yahoo.com>
> Sent: Monday, August 27, 2001 4:42 PM
> Subject: Re: [SLUG] OK it's my fault - Help I've been hacked
>
> > Maybe when you were hacked it added another daemon to run on another port
>
> other than ftp. Use a port scanner like nmap to check for any other ports
> being open. Once you see something odd you may be able to use telnet to
> check out what it responds with.
>
> > nmap -p 1-65535 localhost
> > nmap -sU -p 1-65535 localhost
> > telnet localhost port
> >
> > >>> mchester@yahoo.com 08/27/01 03:49PM >>>
> >
> > OK it's my fault. I was playing around with anonymous ftp and forgot to
>
> kill ftp when I
>
> > was done. This morning I noticed I had a lot of activity on my hub and My
>
> son was at work.
>
> > So I knew it was him. So looking at my logs I found this.
> > Sun Aug 26 22:10:42 2001 201 acaen-101-1-3-7.abo.wanadoo.fr 3223552
>
> /data/anonymous/COM1_/SCAN/TAGG/UP/BY/PuppetMaster/Le_pactes_des_Loups_/CD1
>/ le_pacte_des_loup_part1_(divx4.0_2_pass__AC3).00.r41
>
> > b _ i g ftp ftp 0 * c
> >
> > So I promptly stopped ftp and removed the above dir. Note it wouldn't
> > let
>
> me remove COM1_
>
> > dir so I deleted the whole tree /data/anonymous.
> >
> > Now my question is since ftp is no longer running and I've removed the
>
> anonymous dir why
>
> > does my log now showed this? The time is at least 2 hours after I shut
> > off
>
> the anonymous
>
> > access.
> > Mon Aug 27 12:10:15 2001 56 acaen-101-1-3-7.abo.wanadoo.fr 906840
>
> /data/anonymous/COM1_/SCAN/TAGG/UP/BY/PuppetMaster/Le_pactes_des_Loups_/CD2
>/ le_pacte_des_loup_part2_(divx4.0_2_pass__AC3).00.r00
>
> > b _ i g ftp ftp 0 * c
> >
> > How can they still be xfering files that no longer exist on my system?
>
> Well at least they
>
> > aren't in the /data/anonymous dir tree.
> >
> > If I try to ftp to my machine using anonymous I receive this message. 530
>
> Can't set guest
>
> > privileges.
> > Login failed. Which I would expect as I removed the anonymous ftp userid.
>
> So how can
>
> > these script kiddies still be getting in?
> >
> > And whats a good program to use to find this kind of stuff? I'm not sure
>
> how long this
>
> > would have went on if I hadn't noticed my hub lites working so hard.
> >
> > Thanks
> > Mike M.
> >
> >
> >
> >
> > _________________________________________________________
> > Do You Yahoo!?
> > Get your free @yahoo.com address at http://mail.yahoo.com
>
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:10:30 EDT