[TriLUG] possible intruder - advice?
Jeff Bollinger
jeff01 at email.unc.edu
Mon May 24 12:22:17 EDT 2004
Andrew Perrin wrote:
> Yes, but stopping samba doesn't seem to close port 1025. It looks, from
> further investigation, like it's attempts (probably failed) to mount
> directories via nfs, which I don't like but am not terribly worried about:
>
> nujoma:/var/log# lsof -i TCP:1025
> COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
> rpc.mount 671 root 4u IPv4 2750 TCP *:1025 (LISTEN)
> rpc.mount 671 root 6u IPv4 13940 TCP
> (me, external interface):1025->user-24-214-178-146.knology.net:3821
> (ESTABLISHED)
> rpc.mount 671 root 7u IPv4 17011 TCP
> (me, external interface):1025->user-0c8gjqu.cable.mindspring.com:4742
> (ESTABLISHED)
>
>
> ----------------------------------------------------------------------
> Andrew J Perrin - http://www.unc.edu/~aperrin
> Assistant Professor of Sociology, U of North Carolina, Chapel Hill
> clists at perrin.socsci.unc.edu * andrew_perrin (at) unc.edu
You're probably getting attacked with a remanant of the Sasser worm. It
attaches to port 1025/tcp and attempts to execute code.
Jeff
More information about the TriLUG
mailing list