-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Franz,
If your system has been compromised and the attacker has root access, then it's possible that he has modified the logs anyway. You might want to reinstall and this time beef up security. By the way, there should be no reason to touch /etc/services. Removing entries there will not close down ports. Other than /etc/inetd, you should also check the startup scripts as that starts up programs that open ports up as well. Cheers. - -- Harold Rodriguez .:. [EMAIL PROTECTED] World Wide Web .:. http://it.yorku.ca/moonfrog GnuPG Key ID .:. 0x9ECCF021 On Fri, 8 Mar 2002, Franz Alt wrote: + Hello, + + We've got a SUSE7.0 PC, which may have been affected by a Hacker. Of course, there +is no firewall or any IDS-System :-) + The PC is a small Fileserver for some Win2000 PCs (Samba) and a Testserver with +Apache. Also running SSH, FTP, X. + btw, in the past nobody concerned about security in this small network, because +there are no "secrets", we just buid webpages. But some days ago our network +(permanent) provider told us, there were incidents from our IP-adresses to others. + + I just began learning security issues (I hope my English is not as bad as my +security knowledge). + + Now, I tried to find some traces in /var/messages - none, command "last" - none + + I tried "chkroot" - nothing found, + + tried "kstat" (like ksec for OpenBSD) - I had Problems with the configuration +(system.map ...?) + but here the output of "kstat": + >kstat -M + Using /lib/modules/misc/knull.o + insmod: a module named knull already exists + Module Address + knull 0xd002d000 + ipv6 0xd0046000 + 3c59x 0xd0036000 + serial 0xd0021000 + usbcore 0xd0000000 + 0xc02758c0 + > kstat -m 0xc02758c0 + Probing memory at 0xc02758c0 + Name: + Size: 0 + Flags: MOD_RUNNING + First Registered Symbol: drive_info at 0xc02bb660 + + I tried to reconfigure /etc/services and /etc/inetd.conf to disallow unwanted +services and Ports. + Then I made a scan with "superscan" at home via PPP. + Besides the installed service-ports there where 2 open Ports shown: + 37 and 113. A port-list told me 37 is "time" and 115 is "auth" + + Is my kernel affected or are there any other possibilities than /etc/services and +/etc/inetd.conf to open ports for daemons??? + + Is is suitable to scan the PC localy (login via ssh) with tools like nmap, nessus +... because i don't wont to get trouble with some Admins? + + I would be thankfull for any hint ! + + Franz Alt + + + + + -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8ioPl8mTSoJ7M8CERAvHYAJsFM9422PoUBJc/UeNBvlXw/uYNJgCeLc0X gRH9Xl/Lt4m+uBmES8QtVbc= =R7j8 -----END PGP SIGNATURE-----
