intrusion detected

Brian Walker bfwalker at gmail.com
Mon Aug 8 08:10:49 UTC 2005


Thanks for the input. Going further on the security search though, I ran 
nmap on 127.0.0.1 <http://127.0.0.1> and found some open ports, some flagged 
as security risks and "holes" 

On port 10000 I found reference to PID 8923/perl running .... well, I do not 
know. Nessus put out screeds of information about domino databases:

 Warning|We found the following domino databases :
/log.nsf this must be considered a security risk since the server log
can be retrieved
/setup.nsf this must be considered a security risk since the server might be 
configured remotely or the current setup might be downloaded
/catalog.nsf this must be considered a security risk since the list of
databases
in the server can be retrieved
/statrep.nsf this must be considered a security risk since the reports
generated
by administrators can be read anoymously
/names.nsf this must be considered a security risk since the users and
groups in the
 server can be accessed anonymously, in some cases, access to the
hashed passwords
 will be possible

I searched for these files and found them nowhere on my computer. There was 
a reference to files on another server .... but I am using a single computer 
as a server, networked with a windows box which has no connection to the 
net. There were references to files of commercial significance - DCShop? - 
and so on. So I must assume there has been placed some nasty on my box, 
especially as the intruding box was a RH user. 

1. Is this assumption correct?
2. Having shut off those ports after:

# netstat -tlp
# kill -9 <PID of associated process>

I would like to find what has been placed (if anything) ... but after 
# updatedb 

I can find nothing untoward using 

# locate <name>

Am I being paranoid? 

Brian

On 8/8/05, Matt Patterson <matt at v8zman.com> wrote:
> 
> Hey Brian,
> 
> I don't know a whole lot about the hardening stuff, I simply run minimal
> services, mostly on incorrect ports, maintain good passwords, and keep
> up to date. For the majority of us I think that is good for the 5 nines
> (99.999%) of hackers.


I would have thought so until I began looking at this more seriously. 
Perhaps I just need mor medication?

As for your plans of hitting them back, don't bother, you would just be
> hitting some poor unsuspecting sap who already has the problem of a
> computer that is operating way too slowly with three million pop ads.
> Most of the breakin attempts you recieve will be from zombie machines
> doing automated scans of ip space.


Yes. Point taken. 

Your best approach is to locate the root domain or isp and send a quick
> email with logs reporting that the computer has been compromised. The
> ISP will pull them from the net, and the owner will be notified.


Many thanks for the feedback

Brian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20050808/72051219/attachment.html>


More information about the ubuntu-users mailing list