Article 8420 at 06/12/30 12:19:04 From: adam.crews (at mark) gmail.com Subject: [coba-e:08420] Re: System hacked?!?!?

Index: [Article Count Order] [Thread]
Date:  Fri, 29 Dec 2006 19:00:34 -0800
From:  "Adam Crews" <adam.crews (at mark) gmail.com>
Subject:  [coba-e:08420] Re: System hacked?!?!?
To:  coba-e (at mark) bluequartz.org
Message-Id:  <1486c6440612291900p3c2368c6xbd0de5eb1561f8c9 (at mark) mail.gmail.com>
In-Reply-To:  <005701c72b97$908c2c30$6600a8c0 (at mark) hundredacrewood.willspc.net>
References:  <013201c72b7c$bf23ec10$3701a8c0 (at mark) lapxp>	 <005701c72b97$908c2c30$6600a8c0 (at mark) hundredacrewood.willspc.net>
X-Mail-Count: 08420

If you suspect you have been hacked, do not trust anything on the
system to give you accurate readings.  You should get netstat from a
rpm, or other trusted system and use that binary.  There are some
rootkits that will install updated versions of lsof, netstat, ps, ls,
and other useful tools that will hide the root kit's existence.

-Adam


On 12/29/06, Will Nordmeyer <will (at mark) willspc.net> wrote:
> Sorry about the HTML - right after I sent, I realized I was in HTML...
>
> Services on:
> Domain Name Service (DNS) Server
> Email Servers
> File Transfer Protocol (FTP) Server
> MySQL Server
> Server Desktop
> Simple Network Management Protocol (SNMP) Server
> Web Server
>
> Netstat -an is attached.
>
> The GUI shows Sendmail using 465 & Portsentry using 1524 & 31337.
>
> Can I just chalk it up to false positives from chkrootkit?
>
> --Will
>
> ________________________________________
> From: Arthur Sherman [mailto:arturs (at mark) netvision.net.il]
> Sent: Friday, December 29, 2006 2:09 PM
> To: coba-e (at mark) bluequartz.org
> Subject: [coba-e:08399] Re: System hacked?!?!?
>
> please post in plain text - much easier to track the thread later.
>
> port 456 could be open due to SMTPS, others could be different.
>
> could you post here what services are on/off in GUI, and also output of
> 'netstat -an' ?
>
>
> Best,
>
> --
> Arthur Sherman
>
> +972-52-4878851
> CPTeam
>
>
> ________________________________________
> From: Will Nordmeyer [mailto:will (at mark) willspc.net]
> Sent: Friday, December 29, 2006 12:59 PM
> To: coba-e (at mark) bluequartz.org
> Subject: [coba-e:08385] System hacked?!?!?
> This morning's chkrootkit output is declaring that bindshell is infected�
> ports 465, 1524 & 31337. When I do a netstat 釦anup and grep for those
> ports, I see sendmail using 465 and portsentry using 1524 & 31337.
>
> Am I getting a false positive? What else can I check?
>
> I'm installing rootkithunter as we speak.
>
> --Will
>
>
>


-- 
-----------------------------------------------------------------
Shroom.net Donation Based Web Hosting
http://www.shroom.net/
-----------------------------------------------------------------