intrusion detected

MrKnisely mrknisely at mrknisely.is-a-geek.org
Thu Aug 11 02:35:48 UTC 2005


Dick Davies wrote:

>Please bear in mind that nmap and ps are often the first binaries
>changed when hacking a unix server. If you really want to see what
>ports a machine is listening on, run nmap from another host.
>
>On 09/08/05, J.Markoll <j.markoll at free.fr> wrote:
>  
>
>>Matt Patterson a écrit :
>>    
>>
>>>Obviously I do a little more than the average joe with my machine. But
>>>things to look at are, nfsd, apache, smbd, nmbd, sshd, ftpd. If you
>>>havent installed those but yet they are running, something might be wrong.
>>>      
>>>
>
>Seriously look into a firewall unless you meant to run NFS - it's very
>hard to secure because of its' design. FTPd is ok for anonymous
>access, but in general you don't want to be running that.
>
>  
>
>>And sshd is the SSH Daemon, while ssh-agent is ? what can it be ?
>>    
>>
>
>Man ssh-agent
>
>  
>
>>joyce at papillon:~$ nmap localhost
>>
>>Starting nmap 3.75 ( http://www.insecure.org/nmap/ ) at 2005-08-09 07:18
>>CEST
>>Interesting ports on localhost.localdomain (127.0.0.1):
>>(The 1660 ports scanned but not shown below are in state: closed)
>>PORT    STATE SERVICE
>>25/tcp  open  smtp
>>631/tcp open  ipp
>>783/tcp open  hp-alarm-mgr
>>
>>Nmap run completed -- 1 IP address (1 host up) scanned in 0.211 seconds
>>joyce at papillon:~$
>>
>>Port 25 for outgoing mails, 631 for the printer, 783 maybe the clock I
>>    
>>
>
>Port 783 is Spamassassin.
>
>  
>
>>I asked one other question, although it seems almost obvious:
>>is a zombie installed in a muchine always a trojan like program ?
>>
>>Let's go for a 'ps -A', I installed a few unuseful applications these
>>days, to see how it goes :))
>>    
>>
>
>
>  
>
>>using them. Maybe I could wonder what application processes are
>>  7970 ?        00:00:00 qmgr
>>  7620 ?        00:00:00 mixer_applet2
>>    
>>
>
>man qmgr - it's part of postfix.
>
>  
>
What is worg with running FTPd?  I know usernames and passwords are sent 
plaintext, but what is the issue with simply having the daemon running?  
So long as you don't publish it to the internet and FTP from the 
outside, I don't see a security issue here.

Mike K.




More information about the ubuntu-users mailing list