Re: [slack-users] suspeita de LKM

Fri, 25 Mar 2005 08:04:45 -0800 

netstat -tunap


julio menezes falou em Monday 21 March 2005 19:43:
 ->Caros amigos,
 ->
 ->Uso o Slackware 9.1  kernel 2.4.22
 ->Apache 1.3.28 na porta 1081
 ->
 ->Estou com uma suspeita de LKM.
 ->Rodei 3 aplicativos: nmap rkhunter e chkrootkit
 ->
 ->O nmap me reporta uma porta, a 861 que nao seu quem esta abrindo.
 ->Rodo o
 ->
 ->
 ->Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2005-03-21 18:23
 BRT ->Initiating SYN Stealth Scan against localhost (127.0.0.1) [1660 ports]
 ->at 18:23
 ->Discovered open port 113/tcp on 127.0.0.1
 ->Discovered open port 22/tcp on 127.0.0.1
 ->Discovered open port 861/tcp on 127.0.0.1
 ->Discovered open port 37/tcp on 127.0.0.1
 ->The SYN Stealth Scan took 0.14s to scan 1660 total ports.
 ->For OSScan assuming that port 22 is open and port 1 is closed and
 ->neither are firewalled
 ->Host localhost (127.0.0.1) appears to be up ... good.
 ->Interesting ports on localhost (127.0.0.1):
 ->(The 1656 ports scanned but not shown below are in state: closed)
 ->PORT    STATE SERVICE
 ->22/tcp  open  ssh
 ->37/tcp  open  time
 ->113/tcp open  auth
 ->861/tcp open  unknown
 ->Device type: general purpose
 ->Running: Linux 2.4.X|2.5.X
 ->OS details: Linux 2.4.0 - 2.5.20
 ->Uptime 0.006 days (since Mon Mar 21 18:14:19 2005)
 ->TCP Sequence Prediction: Class=random positive increments
 ->                          Difficulty=2075835 (Good luck!)
 ->IPID Sequence Generation: All zeros
 ->
 ->Nmap run completed -- 1 IP address (1 host up) scanned in 2.503 seconds
 ->
 ->
 ->ja o rkhunter detecta 4 aplicativos vulneraveis
 ->
 ->* Application version scan
 ->    - GnuPG 1.2.3                                              [
 ->Vulnerable ]
 ->    - Apache 1.3.28                                            [
 ->Vulnerable ]
 ->    - OpenSSL 0.9.7b                                           [
 ->Vulnerable ]
 ->    - ProFTPd 1.2.8                                            [
 ->Vulnerable ]
 ->
 ->
 ->o chkrootkit me deu uma mensagem de suspeita de LKM depois parou,
 ->
 ->Searching for anomalies in shell history files... Warning:
 ->`//root/.kde/socket-m
 ->ala01
 ->//root/.kde/tmp-mala01' is linked to another file
 ->Checking `lkm'... Not Tested: can't exec ./chkproc
 ->
 ->
 ->-----------------------Perguntas:
 ->1- Como posso saber quem esta usando a porta 861 ? tentei telnet
 ->localhost 861 sem sucesso. Da conexao recusada pelo foreign host
 ->2- Como fechar a porta 861, nao consta no services ou inetd.conf
 ->3- Quais as protecoes adotadas por voce ?
 ->
 ->obrigado,
 ->julio menezes
 ->
 ->
 ->

-- 
  The quick firefox jumped over the lazy explorer
     http://www.getfirefox.com
--
Renato Carvalho <[EMAIL PROTECTED]>
Tel: 2221-6995 r.107
Nooracom.com <http://www.nooracom.com>
-- 
GUS-BR - Grupo de Usuarios Slackware - BR
http://www.slackwarebrasil.org/
http://www.linuxmag.com.br/mailman/listinfo/slack-users

Responder a