LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 10-08-2003, 08:49 AM   #1
smc_one
LQ Newbie
 
Registered: Jul 2003
Posts: 11

Rep: Reputation: 0
Port monitor program?


Ahh! Ive been hacked somehow .. And I want to catch them if they try it again.

Is there a program that will monitor ports on an ethernet card and log access attempts to the ports. I know there is such a beast - just dont know the name of it..
 
Old 10-08-2003, 09:08 AM   #2
fsbooks
Member
 
Registered: Jan 2002
Location: Missoula. Montana, USA
Distribution: Slackware (various)
Posts: 457

Rep: Reputation: 41
portsentry It was written and released by psionic and used to be maintained and updated on their site, although psionic has since been bought by CISCO and they no longer provide it. A google search should be productive though if noone posts a direct link somewhere.
 
Old 10-08-2003, 09:09 AM   #3
fsbooks
Member
 
Registered: Jan 2002
Location: Missoula. Montana, USA
Distribution: Slackware (various)
Posts: 457

Rep: Reputation: 41
BTW, how do you know you've been hacked and what have you done to clean up the mess?
 
Old 10-08-2003, 09:49 AM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,332
Blog Entries: 55

Rep: Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533
Ahh! Ive been hacked somehow .. And I want to catch them if they try it again.
You should not consider that a game to play unless you know you won't be a threat to other boxen on the LAN/internet (and since you got your box compromised, and this maybe sounds harsh, I'd say: it's a game WAY out of your league). Instead perform the three R's: repartition, reformat and re-install from scratch to get your box back to a trusted state. If you don't know how, see the Linux - Security forum's thread "FAQ: Security references": for more info or post in the Linux - Security forum.


IMNSHO you shouldn't use Portsentry or rely on it too much: all it does is react to packets tripping a port.

Need a stupid example? Say you configured Portsentry for tripping on port UDP/31337. Hell yeah, it'd trip each time someone tries the port, but what does this tell you? Zilch. Zilch. Zilch. (Besides that it would be a sad thing to do as BO server doesn't run on Linux.)
Now if you had something that scrubs packets, like Snort does, then you'd have a rule something like this: "alert udp $EXTERNAL_NET any -> $HOME_NET 31337 (msg:"BACKDOOR BackOrifice access"; content: "|ce63 d1d2 16e7 13cf 39a5 a586|";)", which would only react to packets having a specific payload that correllates it with BO usage. See the difference?

From the Linux - Security forum's thread "FAQ: Security references": for more info see "Snort and PortSentry compared": http://www.linux.ie/articles/portsen...rtcompared.php
 
Old 10-08-2003, 09:58 AM   #5
smc_one
LQ Newbie
 
Registered: Jul 2003
Posts: 11

Original Poster
Rep: Reputation: 0
I actually think I stumbled on the person doing their dirty work - noticed my root .bash_history was more recent than when I had last logged in - and lo and behold somehow they had managed to download some type of binaries and install (emerge?) -- it would not have been so obvious except the hacker used login of "lucyfer" and other satanic wording for the names of the programs...

As unSpawn pointed out - I did not know what was done or how it was going to do what - so I just disconnected the box from the network, reformatted and re-install rh9 from scratch...

It was my fault - I had the DMZ on my NAT set to the box and forgot to disable it - so I know I was open to port attacks - how on earth someone was able to find out my root login just from open ports, i dont know...
 
Old 10-08-2003, 10:43 AM   #6
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,332
Blog Entries: 55

Rep: Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533Reputation: 3533
it would not have been so obvious except the hacker used login of "lucyfer" and other satanic wording for the names of the programs

Any apps added you can remember the names for?
Or did you save /etc and your /var/log?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
monitor traffic per port and ip robca Linux - Networking 1 11-23-2005 02:47 PM
port monitor suggestions mithereal Debian 1 08-29-2005 11:50 PM
port monitor, something for the pro's! joda Linux - Networking 1 06-14-2004 01:34 PM
Monitor Program AquamaN Linux - Software 2 02-16-2003 06:40 PM
which program is using this port? nakkaya Linux - General 4 02-08-2003 09:45 PM


All times are GMT -5. The time now is 07:07 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration