Hi Kai, > bindshell'... INFECTED (PORTS: 1524 31337) > > I could need some help with what this exactly means ? Also how to trace it > and fix it..
bring an uncompromised "netstat" on the machine and when you run "netstat -anp|grep LISTEN" you'll see that a shell has been bound to the ports listed above. Connecting to those an attacker can gain root access on your machine without authorization. You can use LSOF (grab the RH6.2 RPM for i386 and bring it onto the machine) to find out which processes are responsible for this. But I'd look at the following places: /etc/inetd.conf /etc/rc.d/rc.local /etc/rc.d/rc.sysinit If that search turns out blank, then check the rest of the init scripts in /etc/rc.d/init.d/ for suspicious additions. Does chkrootkit show that any of the system binaries has been replaced? -- With best regards, Michael Stauber Linux/Unix Support Engineer SOLARSPEED.NET _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
