S. Khademi wrote:
>Dear friend.
>
>Recently one of my server attack by a person, he make a direstory in my
>/dev/ida/ path with .sys/aw name, I see open ports in my machine by nmap
>command and I see:
>
>Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ )
>Interesting ports on cisgate.iut.ac.ir (213.29.206.17):
>(The 1531 ports scanned but not shown below are in state: closed)
>Port State Service
>22/tcp open ssh
>25/tcp open smtp
>80/tcp open http
>111/tcp open sunrpc
>443/tcp open https
>515/tcp open printer
>993/tcp open imaps
>995/tcp open pop3s
>3128/tcp open squid-http
>6000/tcp open X11
>32774/tcp open sometimes-rpc11
>
> I don't know anything about sometimes-rpc11 port, and I don't know about
>this, How I can close this port, and what I must do for keep my server
>from attacking???
>And I want know how he attack my server.
>Ps. My OS is linux redhat 7.2
>By regards khademi
>
>
>
Hi Khademi,
First to kill the process that is running you can use either lsof or
netstat to find out what is running on what port like this:
lsof -i -n | grep 32774 or netstat -nap | grep 32774
That will tell you what is running on those ports and the process ID.
Next, probably the best thing to do is back up all of your data and
reinstall the OS as it may be hard to tell if any programs have been
trojaned.
You may also want to set up a IPTables firewall to restrict/deny access
to many of the open ports.
Hope this helps,
Jeff
Attachment:
pgp00001.pgp
Description: PGP signature
