[clug] Re: linux Digest, Vol 31, Issue 25
Peter Barker
pbarker at barker.dropbear.id.au
Fri Jul 22 01:48:34 GMT 2005
On Fri, 22 Jul 2005, Chris wrote:
> was somehow instructed to download some Perl files and put them in the
> /tmp folder. Then communicate to a specific server, I presume that is what
Oh, that sounds bad...
> >From the info I had from 'netstat',
> tcp 0 1 postal.anu.edu.au:36072 luzerklub.hu:5454 SYN_SENT
> tcp 0 1 postal.anu.edu.au:36078 udp.fl00d.de:ircd SYN_SENT
Ah. Unless you were expecting to connect to irc ports from that machine,
that looks VERY bad.
> So far, I have deleted all irc server, bots, cgiirc, and all the other
> related packages that I can think of. Also, had firehol firewall up and
> running. I ran clamscan on the entire system and found one virus, which I
> have already gotten rid of.
Not sure what most people think nowadays, but the prefered solution for a
rooted box used to be "make sure you have all of your data. Blow the
machine away, reinstall from known-good media. Bring the machine
up-to-date with security patches before offering services from the
machine". Thankfully, I've only ever been involved in this sort of thing
once before.
> And the server is still getting connection from the aforementioned
> addresses (e.g.,luzerklub.hu). Any ideas what else I need to do to
> complete drop all those annoying connections?
You appear to have been rooted. Best bet IMO is to reinstall.
You may also want to think about what sort of confidential information may
have been taken from the machine.
> Chris
Yours,
--
Peter Barker | N _--_|\ /---- Barham, Vic
Programmer,Sysadmin,Geek | W + E / /\
pbarker at barker.dropbear.id.au | S \_,--?_*<-- Canberra
You need a bigger hammer. | v [35S, 149E]
"When used legally and in its intended fashion, the Acrobat eBook Reader
secures eBooks purchased by locking the eBook to the hardware from which
it was purchased." -- Adobe press release
More information about the linux
mailing list