Re: security issue help

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Do a netstat -an to see what ports are listening.  Typical IRC traffic
is TCP ports 6667, 6668, 6669.  If you see listening on one of those
ports yet are not running IRC, good indicator.  Botnets can run on
alternate ports in the meantime so even if you don't see listening on
those ports, it doesn't mean you are in the clean.  You can also check
running processes (ps - aux) to look for any suspicious processes.
The top command can also be of assistance in seeing what processes are
running.  ntop (see http://www.ntop.org/) is another tool you could
use to examine network traffic.  And running wireshark (formerly
ethereal) to capture traffic to attempt to identify suspicious network
activity.  You can install wireshare from extras I believe, as well as
wireshark-gnome (actually if you yum install wireshark-gnome,
wireshark should get installed as a dependancy).

Of course the check rootkit tool is another one that can be very helpful.

Good luck,

Jacques B.


On 9/13/06, Jim Cornette <fc-cornette@xxxxxxxxxxxxxx> wrote:

Leon wrote:
> My box running FC6 T3 has been warned by my College:
>
> ,----
> | We've been investigating an IRC botnet involving JANET hosts in
> | coordination with the IRC network involved. It appears, from logs of
> | connections to IRC channels, that xxxx.xxx.xxx.ac.uk is
> | involved.
> |
> | The other hosts involved so far have been compromised through an
> | unknown
> | vulnerability, possibly via. HTTP or SSH but we're not sure at this
> | stage.
> |
> | Please could you investigate as soon as possible and let us know what
> | you find. Any information could be very helpful to the other JANET
> | sites
> `----
>
> Here is the question: how can I check if my computer is compromised?
> Thank you.
>

There are two programs that check system integrity that are available in
Fedora Extras. chkrootkit and rkhunter are programs that are supposed to
find suspicious activity on your system.

Jim

--
Let the people think they govern and they will be governed.
                -- William Penn, founder of Pennsylvania

--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list



--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux