LKM = linux kernel modules. caso voce desabilite o loading modules no kernel, vc nao mata este problema?
Jo�o Luis Gomes Moreira falou em Tuesday 22 March 2005 09:37: ->Oi Julio, -> ->Depois voce me diz, por gentileza, o que eh LKM. -> ->A sua pergunta 1... acho que usando o lsof voce consegue ver que ->processo (aplicativo) estah abrindo a porta. E ai seria soh mata-lo. -> ->Quanto as outras duas perguntas... tambem estou no aguardo de algum ->guru. -> ->[]s -> ->JL -> ->Em Seg, 2005-03-21 �s 19:43 -0300, julio menezes escreveu: ->> Caros amigos, ->> ->> Uso o Slackware 9.1 kernel 2.4.22 ->> Apache 1.3.28 na porta 1081 ->> ->> Estou com uma suspeita de LKM. ->> Rodei 3 aplicativos: nmap rkhunter e chkrootkit ->> ->> O nmap me reporta uma porta, a 861 que nao seu quem esta abrindo. ->> Rodo o ->> ->> ->> Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2005-03-21 18:23 BRT ->> Initiating SYN Stealth Scan against localhost (127.0.0.1) [1660 ports] ->> at 18:23 ->> Discovered open port 113/tcp on 127.0.0.1 ->> Discovered open port 22/tcp on 127.0.0.1 ->> Discovered open port 861/tcp on 127.0.0.1 ->> Discovered open port 37/tcp on 127.0.0.1 ->> The SYN Stealth Scan took 0.14s to scan 1660 total ports. ->> For OSScan assuming that port 22 is open and port 1 is closed and ->> neither are firewalled ->> Host localhost (127.0.0.1) appears to be up ... good. ->> Interesting ports on localhost (127.0.0.1): ->> (The 1656 ports scanned but not shown below are in state: closed) ->> PORT STATE SERVICE ->> 22/tcp open ssh ->> 37/tcp open time ->> 113/tcp open auth ->> 861/tcp open unknown ->> Device type: general purpose ->> Running: Linux 2.4.X|2.5.X ->> OS details: Linux 2.4.0 - 2.5.20 ->> Uptime 0.006 days (since Mon Mar 21 18:14:19 2005) ->> TCP Sequence Prediction: Class=random positive increments ->> Difficulty=2075835 (Good luck!) ->> IPID Sequence Generation: All zeros ->> ->> Nmap run completed -- 1 IP address (1 host up) scanned in 2.503 seconds ->> ->> ->> ja o rkhunter detecta 4 aplicativos vulneraveis ->> ->> * Application version scan ->> - GnuPG 1.2.3 [ ->> Vulnerable ] ->> - Apache 1.3.28 [ ->> Vulnerable ] ->> - OpenSSL 0.9.7b [ ->> Vulnerable ] ->> - ProFTPd 1.2.8 [ ->> Vulnerable ] ->> ->> ->> o chkrootkit me deu uma mensagem de suspeita de LKM depois parou, ->> ->> Searching for anomalies in shell history files... Warning: ->> `//root/.kde/socket-m ->> ala01 ->> //root/.kde/tmp-mala01' is linked to another file ->> Checking `lkm'... Not Tested: can't exec ./chkproc ->> ->> ->> -----------------------Perguntas: ->> 1- Como posso saber quem esta usando a porta 861 ? tentei telnet ->> localhost 861 sem sucesso. Da conexao recusada pelo foreign host ->> 2- Como fechar a porta 861, nao consta no services ou inetd.conf ->> 3- Quais as protecoes adotadas por voce ? ->> ->> obrigado, ->> julio menezes ->> ->> -> -> -- The quick firefox jumped over the lazy explorer http://www.getfirefox.com -- Renato Carvalho <[EMAIL PROTECTED]> Tel: 2221-6995 r.107 Nooracom.com <http://www.nooracom.com> -- GUS-BR - Grupo de Usuarios Slackware - BR http://www.slackwarebrasil.org/ http://www.linuxmag.com.br/mailman/listinfo/slack-users
