are these enough now?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

More than likely, someone pushed over a root kit to cover their
tracks...if netstat -an doesn't show 2002 open, then you can be sure of
it. Chances are, they've also replaced ps as well to hide the
process...try:
'/usr/sbin/lsof -I udp:2002' to get the PID. If you are running a RedHat
install - 'rpm -Va' and look for a '5' in the 3rd position as that
indicates a MD5 checksum difference from the binary on your machine and
the original package. 

Personally, I would recommend a reinstall as you never know for sure
what may be left lurking around.

-C

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Antony Stone
Sent: Friday, October 04, 2002 8:09 AM
To: netfilter@lists.netfilter.org
Subject: Re: are these enough now?


On Friday 04 October 2002 12:25 pm, PayalR wrote:

> Hi all,
> Thanks a lot for the mails.
>
> > 161 - snmp - are you managing this system from elsewhere, or is this
> > machine the snmp monitor ?   UDP 161 only needs to be inbound if
this
> > machine is being monitored from elsewhere
>
> Well, I don't know anyting about SNMP thing. But the guys at the 
> server farm suggested I make some changes as told by them in my 
> snmpd.conf, so that they say I there will be able to monitor my 
> machine. I guess so I am just a client SNMP. So, which ports to keep 
> open?

UDP 161 inbound - to listen for SNMP commands
UDP 162 outbound - to generate SNMP traps

> > > Also, nmap shows that 2002/udp globe is open. Shall I close it?
> >
> > machine already has the Slapper worm on it, since that opens UDP 
> > port 2002
>
> well, my machine had a slapper worm. I removed the .bugtraq file from 
> /tmp. Now still the port is open. This is very important to me. How do

> I close the port???? nmap report says,
> 2002/udp   open        globe
> How do I know where and what is globe? How do I shut it?

Sorry - don't know - never had Slapper :-)   Anyone else here got any 
experience or pointers ?

> > I would recommend setting your OUTPUT chain to ESTABLISHED,RELATED
>
> do you mean similar to INPUT rule i.e using -m and all?

Yes.

Antony.

-- 

Behind the counter a boy with a shaven head stared vacantly into space,
a dozen spikes of microsoft protruding from the socket behind his ear.

 - William Gibson, Neuromancer (1984)
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux