intrusion detected

[Dick Davies]

Please bear in mind that nmap and ps are often the first binaries
changed when hacking a unix server. If you really want to see what
ports a machine is listening on, run nmap from another host.

On 09/08/05, J.Markoll <j.markoll at free.fr> wrote:
> Matt Patterson a écrit :
> > Obviously I do a little more than the average joe with my machine. But
> > things to look at are, nfsd, apache, smbd, nmbd, sshd, ftpd. If you
> > havent installed those but yet they are running, something might be wrong.

Seriously look into a firewall unless you meant to run NFS - it's very
hard to secure because of its' design. FTPd is ok for anonymous
access, but in general you don't want to be running that.

> And sshd is the SSH Daemon, while ssh-agent is ? what can it be ?

Man ssh-agent

> joyce at papillon:~$ nmap localhost
> 
> Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2005-08-09 07:18
> CEST
> Interesting ports on localhost.localdomain (127.0.0.1):
> (The 1660 ports scanned but not shown below are in state: closed)
> PORT    STATE SERVICE
> 25/tcp  open  smtp
> 631/tcp open  ipp
> 783/tcp open  hp-alarm-mgr
> 
> Nmap run completed -- 1 IP address (1 host up) scanned in 0.211 seconds
> joyce at papillon:~$
> 
> Port 25 for outgoing mails, 631 for the printer, 783 maybe the clock I

Port 783 is Spamassassin.

> I asked one other question, although it seems almost obvious:
> is a zombie installed in a muchine always a trojan like program ?
> 
> Let's go for a 'ps -A', I installed a few unuseful applications these
> days, to see how it goes :))


> using them. Maybe I could wonder what application processes are
>   7970 ?        00:00:00 qmgr
>   7620 ?        00:00:00 mixer_applet2

man qmgr - it's part of postfix.