Hi, and Thanks Michael I will have a go for this. I must admit that I am a newbie and would be glad if somone could tell me a little spesefict how to do this:
>You can use LSOF (grab the RH6.2 RPM for i386 and bring it onto > the machine) Thanks to the people answering on this lists. I learn something every day (not least from you Michael). Takk/Thanks/Danke Kai R S > Hi Kai, > > > bindshell'... INFECTED (PORTS: 1524 31337) > > > I could need some help with what this exactly means ? Also how > to trace it > > and fix it.. > > bring an uncompromised "netstat" on the machine and when you run "netstat > -anp|grep LISTEN" you'll see that a shell has been bound to the > ports listed > above. Connecting to those an attacker can gain root access on > your machine > without authorization. > > You can use LSOF (grab the RH6.2 RPM for i386 and bring it onto > the machine) > to find out which processes are responsible for this. > > But I'd look at the following places: > > /etc/inetd.conf > /etc/rc.d/rc.local > /etc/rc.d/rc.sysinit > > If that search turns out blank, then check the rest of the init > scripts in > /etc/rc.d/init.d/ for suspicious additions. > > Does chkrootkit show that any of the system binaries has been replaced? > > -- > > With best regards, > > Michael Stauber > Linux/Unix Support Engineer > SOLARSPEED.NET > _______________________________________________ > cobalt-security mailing list > [EMAIL PROTECTED] > http://list.cobalt.com/mailman/listinfo/cobalt-security > _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
