[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [suse-security] rootkit?
Am Donnerstag, 1. Januar 2004 20:47 schrieb Arjen de Korte:
> Not likely a rootkit. You will find that you can stop it with 'rcnetwork
> stop eth0' and start it again with 'rcnetwork start eth0'. It's the service
> which handles you network card. Most rootkits will hide themselves by
> changing the output of the 'ps' command, so you're not likely to find a
> rootkit that way.
Well, that's the thing, that was puzzeling me. I've already had some
experiences with rootkits, so finding something with ps I could not sort in
was quite surprissing. Nevertheless, my homebox (SuSE 9.0) would not show
such a process, even though I got a local LAN here. Stopping the network with
rcnetwork stop to see what happens is not really a choice for my, as I do not
have physicall access to the machine ;-).
> From where did you check this? If you used an online scanning service, it
I checked it from home, using nmap (which isn't installed of the maschine in
question). I thought it might be safer to check from outside.
> could be that your ISP is filtering port 6667. It is commonly (ab)used for
> IRC and therefor a fairly well known vulnerability. Some ISP's don't want
> their customers to run servers, the only reason why you might need it. As
> an 'ordinary' user, you wouldn't be harmed by filtering. Check with your
> acceptable use policy of your provider.
Hm, haven't thought of this yet. I'll have to check this with our ISP, thanx
for the advice.
Systemadministration billiton internetservices
direct phone: 0271 30386 19
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here