[eug-lug]Compromised? Intruder??
Hi all -- Working on configuring a home Samba Server, I did a netstat -a. One line came up that I hadn't ever seen before: Proto Recv-Q Send-Q Local Address Foreign Address State udp00 localhost:blackjack localhost:blackjack ESTABLISHED I never have used a machine name 'blackjack' and checked my hosts file. The 'blackjack' is not there. Have I been penetrated by a trojan or other malware? Has anyone run up against this kind of attack (if that's what it is)? If not an attack or penetration, what program could have set this host equivalency? I'm running Slackware 9.1 (2.4.23 and Samba 2.2.8a) Thanks for any info Woody ___ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug
Re: [eug-lug]Compromised? Intruder??
what does netstat -an show you? it looks like blackjack may be a protocol name look in /etc/services or /etc/inetd.conf to see if you have a blackjack server running (your output shows your machine talking to itself and not having sent or received anything) On Wednesday, December 10, 2003, at 12:49 AM, Woody Mims wrote: Hi all -- Working on configuring a home Samba Server, I did a netstat -a. One line came up that I hadn't ever seen before: Proto Recv-Q Send-Q Local Address Foreign Address State udp00 localhost:blackjack localhost:blackjack ESTABLISHED I never have used a machine name 'blackjack' and checked my hosts file. The 'blackjack' is not there. Have I been penetrated by a trojan or other malware? Has anyone run up against this kind of attack (if that's what it is)? If not an attack or penetration, what program could have set this host equivalency? I'm running Slackware 9.1 (2.4.23 and Samba 2.2.8a) Thanks for any info Woody ___ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug -- You are the eventuality of an anomaly , which despite my sincerest efforts I have been unable to eliminate from what is otherwise a harmony of mathematical precision. -The Architect Microsoft has resolved this issue. We have put processes in place to ensure there is no recurrence of this eventuality. -Microsoft ___ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug
Re: [eug-lug]Compromised? Intruder??
Woody Mims wrote: Hi all -- Working on configuring a home Samba Server, I did a netstat -a. One line came up that I hadn't ever seen before: Proto Recv-Q Send-Q Local Address Foreign Address State udp00 localhost:blackjack localhost:blackjack ESTABLISHED I never have used a machine name 'blackjack' and checked my hosts file. The 'blackjack' is not there. blackjack is the name of a service, not a host. Services are defined in /etc/services. Blackjack is UDP port 1025. The IANA allocated that number to some game company's blackjack server, but you're probably seeing something else. I refer you to these archived messages for more info... http://archives.neohapsis.com/archives/incidents/2000-09/0054.html http://archives.neohapsis.com/archives/incidents/2000-09/0059.html http://archives.neohapsis.com/archives/incidents/2000-09/0090.html Have I been penetrated by a trojan or other malware? I don't think so. -- Bob Miller Kbob kbobsoft software consulting http://kbobsoft.com [EMAIL PROTECTED] ___ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug
Re: [eug-lug]Compromised? Intruder??
On Wed, Dec 10, 2003 at 12:49:07AM -0800, Woody Mims wrote: Hi all -- Working on configuring a home Samba Server, I did a netstat -a. One line came up that I hadn't ever seen before: Proto Recv-Q Send-Q Local Address Foreign Address State udp00 localhost:blackjack localhost:blackjack ESTABLISHED As others have noted, your local address is localhost:blackjack and foreign address is localhost:blackjack. This means a connection from 127.0.0.1 port 1025 to the same. Run this to figure out what pid is making that connection: lsof|grep 1025 Also if blackjack was a computer name, ie it said for a foreign address: blackjack:389, This would mean that this host resolved the connecting address to the hostname `blackjack'. This would also mean the dns or hosts file has the connecting ip address listed with the computer name in the same domain as the current machine. Otherwise you would see a fully qualified domain name or an ip address: blackjack.cracker.it:389 or 12.12.12.12:389 Cory -- Cory Petkovsek Adapting Information Adaptable IT ConsultingTechnology to your (541) 914-8417 business [EMAIL PROTECTED] www.AdaptableIT.com ___ EuG-LUG mailing list [EMAIL PROTECTED] http://mailman.efn.org/cgi-bin/listinfo/eug-lug