[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] rootkit?

Am Donnerstag, 1. Januar 2004 20:47 schrieb Arjen de Korte:

> Not likely a rootkit. You will find that you can stop it with 'rcnetwork
> stop eth0' and start it again with 'rcnetwork start eth0'. It's the service
> which handles you network card. Most rootkits will hide themselves by
> changing the output of the 'ps' command, so you're not likely to find a
> rootkit that way.

Well, that's the thing, that was puzzeling me. I've already had some 
experiences with rootkits, so finding something with ps I could not sort in 
was quite surprissing. Nevertheless, my homebox (SuSE 9.0) would not show 
such a process, even though I got a local LAN here. Stopping the network with 
rcnetwork stop to see what happens is not really a choice for my, as I do not 
have physicall access to the machine ;-).

> From where did you check this? If you used an online scanning service, it

I checked it from home, using nmap (which isn't installed of the maschine in 
question). I thought it might be safer to check from outside.

> could be that your ISP is filtering port 6667. It is commonly (ab)used for
> IRC and therefor a fairly well known vulnerability. Some ISP's don't want
> their customers to run servers, the only reason why you might need it. As
> an 'ordinary' user, you wouldn't be harmed by filtering. Check with your
> acceptable use policy of your provider.

Hm, haven't thought of this yet. I'll have to check this with our ISP, thanx 
for the advice.
Patrick Ahlbrecht
Systemadministration billiton internetservices
direct phone: 0271 30386 19

Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here