Service: ingreslock (tcp/1524) (,none,eth0) - 3 packets
Kevin Passey
kev at kdpsoftware1.demon.co.uk
Thu Feb 3 10:14:08 UTC 2005
Thanks for that Ben,
This box is not connected directly - my firewall/router port forwards
traffic to port 80 for HTTP and 25 for Sendmail. I have blocked all
connections to the relevant Trojan ports on the firewall, in and out. I
also have Firestarter on the RH box which is behind the router - belt and
braces maybe!!
I'm closely watching anything that goes out.
Thanks for your reply.
Kevin
----- Original Message -----
From: "Benjamin J. Weiss" <benjamin at birdvet.org>
To: "Kevin Passey" <kev at kdpsoftware1.demon.co.uk>; "General Red Hat Linux
discussion list" <redhat-list at redhat.com>
Sent: Tuesday, February 01, 2005 3:14 PM
Subject: Re: Service: ingreslock (tcp/1524) (,none,eth0) - 3 packets
> Kevin Passey wrote:
>
> >Hi all,
> >
> >I found this in my LogWatch so I started Googling and became very nervous
that I had been hacked.
> >
> >I checked for all the various /tmp/bob files etc - installed chkrootkit
and ran it - nothing !! I've blocked all the relevant outgoing traffic on my
router/firewall and installed firestarter.
> >
> >
> >
> I would run chkrootkit from a live CD. Specifically, I'd download and
> burn a LiveCD of knoppix-std or one of the others that has chrootkit,
> then I'd reboot with that CD, mount your old filesystem, and run
> chkrootkit that way. It's the only way to ensure that you don't have
> hostile kernel modules hiding themselves. Of course, if you have been
> rooted, I wouldn't expect that those log entries would have shown up...
>
> Ben
>
> --
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
> https://www.redhat.com/mailman/listinfo/redhat-list
More information about the redhat-list
mailing list