Hi all, Thanks for the replies, I havn't had a chance to get back online till now, so now I get to read all those words of wisdom... One of which is to check your config files before restoring them after an attack... Bevan Broun wrote: > > And data/config files must be checked. No point pointing back nice secure > binaries if a config file allows something it shouldnt. OK, so I rebuilt an old RH6.2 system and upgraded to RH7.1 in the process. I got the RH7.1 install to format everything except my swap drive. About an hour after I rebooted my nicely rebuilt system (using my old ipchains rules - which are obviously lacking) I noticed the following tell-tale signs of intrusion yet again: ... 17:13:16 kernel: Packet log: input log-in ppp0 PROTO=6 208.176.183.26:4170 ... ... 17:13:16 kernel: Packet log: output log-out ppp0 PROTO=6 203.12.255.8:111 ... ... 17:13:17 kernel: Packet log: input log-in ppp0 PROTO=6 208.176.183.26:4170 ... ... 17:13:17 kernel: Packet log: input log-in ppp0 PROTO=17 208.176.183.26:835 ... ... 17:13:17 kernel: Packet log: output log-out ppp0 PROTO=17 203.12.255.8:111 ... 17:13:17 rpc.statd[844]: gethostbyname error for ^X���^X���^Y���^Y���^Z���^Z���^[���^[���%8x%8 x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220\220\220 \220\220\220\220\220\220\220\220....... heaps of this ...17:13:17 kernel: Packet log: input log-in ppp0 PROTO=17 ..... ...17:13:17 kernel: Packet log: output log-out ppp0 PROTO=17 203.12.255.8:1024 ...17:13:18 kernel: Packet log: input log-in ppp0 PROTO=6 ..... ...17:13:18 kernel: Packet log: output log-out ppp0 PROTO=6 203.12.255.8:111 ... 17:13:18kernel: Packet log: input log-in ppp0 PROTO=6 .... The IP addresses don't seem to mean much other than one of them is mine ! (dial up so it varies each time) The same thing happened on RH6.2 just before I got attacked (though this could be just coincidence) but I beleive the vulnerability exploited in my case was via rpc.statd (they loaded 'luckroot' onto my system plus a rootkit. Unfortunately NFS uses rpc.statd for its locking (?) schemes so I can't just ditch it. Has anyone else experienced this. What the hell is going on ????
Jul 4 17:13:16 Node10 kernel: Packet log: input log-in ppp0 PROTO=6 208.176.183.26:4170 203.12.255.8:111 L=60 S=0x00 I=62112 F=0x4000 T=48 SYN (#1) Jul 4 17:13:16 Node10 kernel: Packet log: output log-out ppp0 PROTO=6 203.12.255.8:111 208.176.183.26:4170 L=60 S=0x00 I=0 F=0x4000 T=64 (#1) Jul 4 17:13:17 Node10 kernel: Packet log: input log-in ppp0 PROTO=6 208.176.183.26:4170 203.12.255.8:111 L=52 S=0x00 I=62378 F=0x4000 T=48 (#1) Jul 4 17:13:17 Node10 kernel: Packet log: input log-in ppp0 PROTO=17 208.176.183.26:835 203.12.255.8:111 L=84 S=0x00 I=62381 F=0x0000 T=48 (#4) Jul 4 17:13:17 Node10 kernel: Packet log: output log-out ppp0 PROTO=17 203.12.255.8:111 208.176.183.26:835 L=56 S=0x00 I=0 F=0x4000 T=64 (#3) Jul 4 17:13:17 Node10 rpc.statd[844]: gethostbyname error for ^X���^X���^Y���^Y���^Z���^Z���^[���^[���%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%n\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220\220 Jul 4 17:13:17 Node10 kernel: Packet log: input log-in ppp0 PROTO=17 208.176.183.26:836 203.12.255.8:1024 L=1104 S=0x00 I=62592 F=0x0000 T=48 (#4) Jul 4 17:13:17 Node10 kernel: Packet log: output log-out ppp0 PROTO=17 203.12.255.8:1024 208.176.183.26:836 L=60 S=0x00 I=0 F=0x4000 T=64 (#3) Jul 4 17:13:18 Node10 kernel: Packet log: input log-in ppp0 PROTO=6 208.176.183.26:4170 203.12.255.8:111 L=52 S=0x00 I=62614 F=0x4000 T=48 (#1) Jul 4 17:13:18 Node10 kernel: Packet log: output log-out ppp0 PROTO=6 203.12.255.8:111 208.176.183.26:4170 L=52 S=0x00 I=28609 F=0x4000 T=64 (#1) Jul 4 17:13:18 Node10 kernel: Packet log: input log-in ppp0 PROTO=6 208.176.183.26:4170 203.12.255.8:111 L=52 S=0x00 I=62972 F=0x4000 T=48 (#1)
