He shouldn't assume that its the rpc11 port that caused his exploit. It could be sendmail, ssh or apache if he hasn't updated security fixes of the past few months. lpr and X11 shouldn't be run as open ports on an Internet server. I would rebuild the box and start over, migrate data, triple check for exploits in the data migrated... Chuck Peters, Systems Administrator, Network Engineer and Linux Tech. StarrySkies Network, http://StarrySkies.com, publishing science articles since 1995. http://StarrySkies.Net, an online science community. http://StarryMessenger.Net, the weekly newsletter of StarrySkies. On 7 Nov 2002, Damon Brinkley wrote: > You need to find out what process is listening on that port and stop > it. Otherwise setup Iptables to block connections to that port. > > Damon > > On Thu, 2002-11-07 at 14:50, S. Khademi wrote: > > Dear friend. > > > > Recently one of my server attack by a person, he make a direstory in my > > /dev/ida/ path with .sys/aw name, I see open ports in my machine by nmap > > command and I see: > > > > Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ ) > > Interesting ports on cisgate.iut.ac.ir (213.29.206.17): > > (The 1531 ports scanned but not shown below are in state: closed) > > Port State Service > > 22/tcp open ssh > > 25/tcp open smtp > > 80/tcp open http > > 111/tcp open sunrpc > > 443/tcp open https > > 515/tcp open printer > > 993/tcp open imaps > > 995/tcp open pop3s > > 3128/tcp open squid-http > > 6000/tcp open X11 > > 32774/tcp open sometimes-rpc11 > > > > I don't know anything about sometimes-rpc11 port, and I don't know about > > this, How I can close this port, and what I must do for keep my server > > from attacking??? > > And I want know how he attack my server. > > Ps. My OS is linux redhat 7.2 > > By regards khademi > > > > -- > > _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ > > Soheila Khademi > > e-mail: khademy@yahoo.com > > soheila@maniac.sdc.uwo.ca > > Network Admin khademi@cc.iut.ac.ir > > Network Services > > Center For Information Services (CIS) http://www.iut.ac.ir > > Isfahan University of Technology (IUT) Tel: 98 311 3915840-1,45 > > Isfahan, IRAN Fax: 98 311 3915805 > > _/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ > > > > > > > > > > ------------------------------------------------------------------------ > > To unsubscribe email security-discuss-request@linuxsecurity.com > > with "unsubscribe" in the subject of the message. > > > > > > > ------------------------------------------------------------------------ > To unsubscribe email security-discuss-request@linuxsecurity.com > with "unsubscribe" in the subject of the message. > ------------------------------------------------------------------------ To unsubscribe email security-discuss-request@linuxsecurity.com with "unsubscribe" in the subject of the message.
