I have run a portscan from outside the box now and these are the results. (Took me long enough...)
xxx.xx.xx.xxx :13782 - bpcd -- open xxx.xx.xx.xxx :13722 - bpjava-msvc -- open xxx.xx.xx.xxx :3306 - mysql -- open xxx.xx.xx.xxx :3001 - nessusd -- open xxx.xx.xx.xxx :3000 - hbci -- open xxx.xx.xx.xxx :444 - snpp -- open xxx.xx.xx.xxx :143 - imap -- open xxx.xx.xx.xxx :110 - pop-3 -- open xxx.xx.xx.xxx :81 - hosts2-ns -- open xxx.xx.xx.xxx :80 - http -- open xxx.xx.xx.xxx :53 - domain -- open xxx.xx.xx.xxx :52 - xns-time -- open xxx.xx.xx.xxx :25 - smtp -- open xxx.xx.xx.xxx :21 - ftp -- open ftp should be OK because it denies everyone in hosts.deny and allows only me in hosts.allow. nessusd - well what can I say, I installed it then couldn't work out how to use it or switch it off!!! mysql is OK pop-3, http, smtp all things we need. As for the rest I don't know what they are or if there OK? Any thoughts on whether any of these are suspicious greatly appreciated. Also as I suspect we have been hacked but can find no evidence on our regular chkrootkit run or any change in bandwidth usage where else and what else should I be looking for? Because that tripwire report is still worrying the hell out of me. Regards Simon _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
