Chuck Peters wrote: >He shouldn't assume that its the rpc11 port that caused his exploit. It >could be sendmail, ssh or apache if he hasn't updated security fixes of >the past few months. lpr and X11 shouldn't be run as open ports on an >Internet server. I would rebuild the box and start over, migrate data, >triple check for exploits in the data migrated... > >Chuck Peters, Systems Administrator, Network Engineer and Linux Tech. >StarrySkies Network, http://StarrySkies.com, publishing science articles >since 1995. http://StarrySkies.Net, an online science community. >http://StarryMessenger.Net, the weekly newsletter of StarrySkies. > > >On 7 Nov 2002, Damon Brinkley wrote: > > > >>You need to find out what process is listening on that port and stop >>it. Otherwise setup Iptables to block connections to that port. >> >>Damon >> >>On Thu, 2002-11-07 at 14:50, S. Khademi wrote: >> >> >>>Dear friend. >>> >>>Recently one of my server attack by a person, he make a direstory in my >>>/dev/ida/ path with .sys/aw name, I see open ports in my machine by nmap >>>command and I see: >>> >>>Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ ) >>>Interesting ports on cisgate.iut.ac.ir (213.29.206.17): >>>(The 1531 ports scanned but not shown below are in state: closed) >>>Port State Service >>>22/tcp open ssh >>>25/tcp open smtp >>>80/tcp open http >>>111/tcp open sunrpc >>>443/tcp open https >>>515/tcp open printer >>>993/tcp open imaps >>>995/tcp open pop3s >>>3128/tcp open squid-http >>>6000/tcp open X11 >>>32774/tcp open sometimes-rpc11 >>> >>> I don't know anything about sometimes-rpc11 port, and I don't know about >>>this, How I can close this port, and what I must do for keep my server >>>from attacking??? >>>And I want know how he attack my server. >>>Ps. My OS is linux redhat 7.2 >>>By regards khademi >>> >>> -- >>>_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ >>> Soheila Khademi >>> e-mail: khademy@yahoo.com >>> soheila@maniac.sdc.uwo.ca >>> Network Admin khademi@cc.iut.ac.ir >>> Network Services >>> Center For Information Services (CIS) http://www.iut.ac.ir >>> Isfahan University of Technology (IUT) Tel: 98 311 3915840-1,45 >>> Isfahan, IRAN Fax: 98 311 3915805 >>>_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/_/ >>> >>> >>> >>> >>>------------------------------------------------------------------------ >>> To unsubscribe email security-discuss-request@linuxsecurity.com >>> with "unsubscribe" in the subject of the message. >>> >>> >>> >>> >>------------------------------------------------------------------------ >> To unsubscribe email security-discuss-request@linuxsecurity.com >> with "unsubscribe" in the subject of the message. >> >> >> > >------------------------------------------------------------------------ > To unsubscribe email security-discuss-request@linuxsecurity.com > with "unsubscribe" in the subject of the message. > > > > i say disconnect, dd, rebuild and analyze, not in this particular order, but you get the point. ------------------------------------------------------------------------ To unsubscribe email security-discuss-request@linuxsecurity.com with "unsubscribe" in the subject of the message.
