[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] rootkit?



Am Donnerstag, 1. Januar 2004 20:47 schrieb Arjen de Korte:

> Not likely a rootkit. You will find that you can stop it with 'rcnetwork
> stop eth0' and start it again with 'rcnetwork start eth0'. It's the service
> which handles you network card. Most rootkits will hide themselves by
> changing the output of the 'ps' command, so you're not likely to find a
> rootkit that way.

Well, that's the thing, that was puzzeling me. I've already had some 
experiences with rootkits, so finding something with ps I could not sort in 
was quite surprissing. Nevertheless, my homebox (SuSE 9.0) would not show 
such a process, even though I got a local LAN here. Stopping the network with 
rcnetwork stop to see what happens is not really a choice for my, as I do not 
have physicall access to the machine ;-).

> From where did you check this? If you used an online scanning service, it

I checked it from home, using nmap (which isn't installed of the maschine in 
question). I thought it might be safer to check from outside.

> could be that your ISP is filtering port 6667. It is commonly (ab)used for
> IRC and therefor a fairly well known vulnerability. Some ISP's don't want
> their customers to run servers, the only reason why you might need it. As
> an 'ordinary' user, you wouldn't be harmed by filtering. Check with your
> acceptable use policy of your provider.

Hm, haven't thought of this yet. I'll have to check this with our ISP, thanx 
for the advice.
-- 
Patrick Ahlbrecht
Systemadministration billiton internetservices
direct phone: 0271 30386 19


-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here