try to : nmap -I -O -P0 127.0.0.1 ps ax and see if you see something strange for more help from me just paste tables in an email
note: once i had socklist ... a program that could tell u which programs keeps sockets up note2: look, no sock opens doesnt mean u re without any backdoor ... a sock can open on an event such as time-trigger or icmp trigger ... so u should monitor more that machine SaDIKuZboy ----- Original Message ----- From: "Thomas Amm" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Thursday, November 22, 2001 1:50 PM Subject: Got hacked by Ramen-style attack > > On Thu, 22 Nov 2001 12:06:21 Thomas Amm wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Hi all, > > that's what I found in my logs after I had to reboot my > Router, which also worked as print server (Now I know better) > because of a DoS. > > > Nov 21 03:29:36 lan1 -- MARK -- > Nov 21 03:32:08 lan1 SERVER[2757]: Dispatch_input: bad request line > 'BB����������������XXXXXXXXXXXXXXXXXX%.156u%300$n%.21u%301$nsecurity%302$n%. 192u > %303$n1�1�1��F��1Ҳf�1��C]�C]�KM�M��1�E�Cf]�f�E�^O'M�E�E��E�^P�M���CC��C��1� �?�� > �A��^X^u^H1�F^GE^L�^K�M^HU^L������/bin/sh' > Nov 21 03:32:10 lan1 SERVER[2758]: Dispatch_input: bad request line > 'BB(���)���*���+���XXXXXXXXXXXXXXXXXX%.232u%300$n%.199u%301$nsecurity.i%302$ n%.1 > 92u%303$n1�1�1��F��1Ҳf�1��C]�C]�KM�M��1�E�Cf]�f�E�^O'M�E�E��E�^P�M���CC��C� �1ɲ > ?���A��^X^u^H1�F^GE^L�^K�M^HU^L������/bin/sh' > Nov 21 03:32:11 lan1 SERVER[2759]: Dispatch_input: bad request line 'BBH > (and so on) - the lpr.log shows the same entries. > > I searched the system for fragments of the Ramen worm after reboot but I > found > nothing > suspicious. > The attack seemed to come over nmbd, although all ports, exept inetd are > blocked to the > outside > vi ipchains. I had a number of rejected packets to port 137 immediately > before, > nmbd crashed > and > the lprng exploit started. > So there are some questions, I would like to pose : > Is Woody's lprng still vulnerable ? I've got the latest version. > Is the shown exploit a sign that someone already was in there, or just for > an > attempt > ? > Can I find possible backdoors, or will I have to re-install ? > > Thanks, > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (GNU/Linux) > Comment: For info see http://www.gnupg.org > > iEYEARECAAYFAjv829UACgkQRMvUAcFGSvDcwACgw39Hh2j83YJ1v42pgwJvL1je > ryoAoP8tSMHNsBuH3jRtU6WG07MnQ48t > =8csx > -----END PGP SIGNATURE----- > > -- > Things are more like they are today than they ever were before. > -- Dwight Eisenhower > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
