"Stephan Borg" <[EMAIL PROTECTED]> writes: > Hello all, > > Over the last couple of days, a Debian 2.2r4 box I work on appears to > have been infected by a Trojan. I have since upgraded SSH which I think > was the leak. > > I have done an NMAP on the box. I have removed the known services from > the output, shown below are the results. > > Port State Service > 139/tcp filtered netbios-ssn - I don't have Samba > 515/tcp filtered printer - no lpr as far as I'm > aware > 1080/tcp filtered socks - no socks as far as I'm > aware > 2003/tcp filtered cfingerd - the binary for this one > is on the server, but is not enabled in Inetd > 2049/tcp filtered nfs - No NFS > 12345/tcp filtered NetBus > 12346/tcp filtered NetBus
AFAIK, filtered generally indicates the port isn't available for connecting to - so it's no indication if a service is running or not. Assuming your netkit has the same md5 as the one on the debian servers, try netstat --inet -l -p to show which processing are providing ports on your box. Cheers, -- Damien Elmes [EMAIL PROTECTED] -- SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/ More Info: http://lists.slug.org.au/listinfo/slug
