[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] rootkit?



On Thursday 01 January 2004 20:51, Patrick Ahlbrecht wrote:

> I have never seen something like [eth0] anywhere else (btw: what's the
> actual meaning of square brackets? Demons show them to, but these are
> kernel tasks). Looking at /proc/425 doesn't give any clues, except that it
> has one file descripter open pointing to /dev/initctl and a PPID of 1.

Not likely a rootkit. You will find that you can stop it with 'rcnetwork stop 
eth0' and start it again with 'rcnetwork start eth0'. It's the service which 
handles you network card. Most rootkits will hide themselves by changing the 
output of the 'ps' command, so you're not likely to find a rootkit that way.

> I also found port 6667 to be open, or better "filtered" (nmap). The
> firewall (self made) doesn't touch it, and I can't associate a process with
> it (it doesn't accept connections either if simply telnetted to).

From where did you check this? If you used an online scanning service, it 
could be that your ISP is filtering port 6667. It is commonly (ab)used for 
IRC and therefor a fairly well known vulnerability. Some ISP's don't want 
their customers to run servers, the only reason why you might need it. As an 
'ordinary' user, you wouldn't be harmed by filtering. Check with your 
acceptable use policy of your provider.

Best regards,
Arjen

--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here