[TriLUG] possible intruder - advice?

matusiak dave at matusiak.org
Tue May 25 12:32:47 EDT 2004


hey Andrew --

this service could have been installed/started upon install (and/or 
boot time).  are you sure that this was never installed?  really sure?  
like others had mentioned, this could be trojan behavior manifesting in 
your box.

is this Red Hat?  Fedora?  Debian?  not that it matters, but different 
systems often represent different /etc/services information.

On a custom linux machine I'm logged in to, there is NO listing for 
Port 1025.
But on a Mac OS X box, it is listed as "blackjack" or "network 
blackjack."
sounds nefarious, doesn't it?  maybe google can tell us what that is??

Anyway, you've drilled down to find that you've got a Remote Procedure 
Call service working to "mount" some device (disk, etc) on your machine 
*and* you've seen connections to it from machines you do not know.

Do you have a good backup of your data?  Now is the time to reinstall.
Pay close attention on the next install, so that unnecessary listener 
services are neither installed, nor loaded.  Then restore your data.

A good practice after building a machine (of ANY OS) is to nmap scan 
the system (from local and remote, if possible) to see what the rest of 
the world sees.  Then go about trying to lock down what is left 
listening to the world.  Hopefully, it will prevent this all from 
happening again.

As to why those machines are connected to it?  Could be anything...

Good luck!
dave m.

On May 24, 2004, at 4:26 PM, Andrew Perrin wrote:

> It's rpc.mountd.  The question is why, and why those machines are
> connected to it.
>
> ----------------------------------------------------------------------
> Andrew J Perrin - http://www.unc.edu/~aperrin
> Assistant Professor of Sociology, U of North Carolina, Chapel Hill
> clists at perrin.socsci.unc.edu * andrew_perrin (at) unc.edu
>
>
> On Mon, 24 May 2004, Brent Verner wrote:
>
>> [2004-05-24 13:49] Andrew Perrin said:
>> | Thanks to all. Frankly, what's most worrisome to me is that 1025 
>> appears
>> | open, where other ports are not:
>>
>> try this to see if it'll show you which process is listenting
>>
>>   sh# lsof -n|grep TCP|grep 1025
>>
>>   b


--
Creating chaos in all the right places...
                               ... http://ibiblio.org/matusiak/
                                                             --




More information about the TriLUG mailing list