On Fri, 3 May 2002, Muhammad Faisal Rauf Danka wrote: > Anyway, First of all, there could be two reasons for those ports to be seen (filtered), : ) > First: the external host from which you are scanning either the host itself could > be filtering those outgoing connections or the router or gateway of that > external machine could be filtering outgoing ports which are seen in > your scan as filtered. This is not the case here, and i should know because i have to scan from here once in a while, so I know what should be the "normal" output. > Secondly: May be you're firewall is not sending REJECT message on those ports and > instead sending DENY or DROP. So that's why your box is not saying that > (HELLO You are not Allowed on this port) so supposingly nmap thinks that > those ports are being filtered. I think that the theory of these ports being filtered by routers is one with some weight, because it is an ATT broadband where that IP is. Now, I do not know for sure if ATT does that. > As far as the chkrootkit problem is concerned, why don't you just install > RH7.0 on a fresh different PC and then make md5sum of all the critical > files which are in /bin and /sbin and then compare those signatures with > the box you're suspicious that is cracked. (make sure you make a copy of > (supposingly compromised box) first. There is no way i am instaling any RH 7.0 unless it is for a honepot = ) I was able to contact the person and he hast told me that that computer was never connected to the internet with out a firewall (ipchains in this case) and never had ftp, telnet, lprn enabled or open. So I am taking his word for that. I he decides to re-install, is not going to be rh 7.0. > Also do another method which i commonly do is that, I keep clean copies of binaries > which are most commonly trojanned such as: > > netstat > ls > ps > lsof ( I just saw one rootkit with lsof binary so far) > pstree ( // ) > /bin/login > finger > who This is a excellent recommendation for all kinds of systems, the problem is that most people never do that, and that is why they send emails to people like us, asking for help. We all should be doing that all the time, i admit i dont : ) > and whenever I feel a bit paranoid (which is mostly do) , I just > slip out my floppy of those binaries and compare output of the existing > system binaries with the output of my fresh/clean binaries in write > protected disk. I use either tripwire or Aide on my systems. Thanks for the feed back! David Correa Public Key http://www.linux-tech.com/linuxtech.asc Key fingerprint 7F2C E072 479D 71B4 008B 373E A284 8CDE 7659 F5D8 ------------------------------------------------------------------------ To unsubscribe email security-discuss-request@linuxsecurity.com with "unsubscribe" in the subject of the message.