Thanks for that Ben, This box is not connected directly - my firewall/router port forwards traffic to port 80 for HTTP and 25 for Sendmail. I have blocked all connections to the relevant Trojan ports on the firewall, in and out. I also have Firestarter on the RH box which is behind the router - belt and braces maybe!! I'm closely watching anything that goes out. Thanks for your reply. Kevin ----- Original Message ----- From: "Benjamin J. Weiss" <benjamin@xxxxxxxxxxx> To: "Kevin Passey" <kev@xxxxxxxxxxxxxxxxxxxxxxxx>; "General Red Hat Linux discussion list" <redhat-list@xxxxxxxxxx> Sent: Tuesday, February 01, 2005 3:14 PM Subject: Re: Service: ingreslock (tcp/1524) (,none,eth0) - 3 packets > Kevin Passey wrote: > > >Hi all, > > > >I found this in my LogWatch so I started Googling and became very nervous that I had been hacked. > > > >I checked for all the various /tmp/bob files etc - installed chkrootkit and ran it - nothing !! I've blocked all the relevant outgoing traffic on my router/firewall and installed firestarter. > > > > > > > I would run chkrootkit from a live CD. Specifically, I'd download and > burn a LiveCD of knoppix-std or one of the others that has chrootkit, > then I'd reboot with that CD, mount your old filesystem, and run > chkrootkit that way. It's the only way to ensure that you don't have > hostile kernel modules hiding themselves. Of course, if you have been > rooted, I wouldn't expect that those log entries would have shown up... > > Ben > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
