-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Soheila Khademi wrote: > Recently one of my server attack by a person, he make a direstory > in my /dev/ida/ path with .sys/aw name, I see open ports in my > machine by nmap command and I see: > > Starting nmap V. 2.54BETA22 ( www.insecure.org/nmap/ ) > Interesting ports on cisgate.iut.ac.ir (213.29.206.17): > (The 1531 ports scanned but not shown below are in state: closed) > Port State Service > 22/tcp open ssh > 25/tcp open smtp > 80/tcp open http > 111/tcp open sunrpc > 443/tcp open https > 515/tcp open printer > 993/tcp open imaps > 995/tcp open pop3s > 3128/tcp open squid-http > 6000/tcp open X11 > 32774/tcp open sometimes-rpc11 > > I don't know anything about sometimes-rpc11 port, and I don't know > about this, How I can close this port, and what I must do for keep > my server from attacking??? > And I want know how he attack my server. > Ps. My OS is linux redhat 7.2 > By regards khademi It is apparent from the number of open ports and their respective names, that you have many services running which are most probably un-used at this point, and having been so, are probably not patched either. Smells like a default install ! What you should do is run ' ps -aux ' and ascertain the PID's of the daemons providing these services, subsequently killing them. Secondly, if this isn't a server at all, i'd suggest killing 'inetd' ........ ' ps -aux | grep inetd ' ; killall -9 inetd Thirdly, check on the appropriate redhat site for patched and upgrades, and update your system regularly Make sure all these services that are shown from the scan you have provided us, are properly patched. If the process running port 32774 for sometimes-rpc11 is indeed an rpc process you may confirm this by running 'rpcinfo -p'. Last of all, use the following IPCHAINS command, and additionally enter it into /etc/rc.d/rc.local so that its parsed at startup : ipchains -A input -s 0.0.0.0 -d <YOUR IP ADDRESS> -p 32774 -j REJECT - -l - ---------------------------------- With Best Regards, Ali Saifullah Khan, Asstt. Project Administrator, GemSEC Information Security Division, Gem Internet Services, (Pvt.) Ltd. Key ID : 0xA3B7379C Key Fingerprint : 111F D465 3FB0 C02E 4080 8DE6 D887 CA97 A3B7 379C -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> iQA/AwUBPdEOldiHypejtzecEQIZ9gCfe+CmcyiumkEL5q/q3Zyzs6/FdfAAnjqk OXqVbnrbRwLu7hi1yk10zP7+ =gBBy -----END PGP SIGNATURE----- ------------------------------------------------------------------------ To unsubscribe email security-discuss-request@linuxsecurity.com with "unsubscribe" in the subject of the message.
