Visit Jeremy's Blog.
Go Back > Forums > Linux Forums > Linux - Distributions > Fedora
User Name
Fedora This forum is for the discussion of the Fedora Project.


Closed Thread
  Search this Thread
Old 09-13-2005, 04:43 PM   #1
Registered: Mar 2004
Posts: 96

Rep: Reputation: 15
Machine compromised, now have ports opened

Hi all, several of my home machines (all run Fedora Core 3) have been hacked and I want to know what to do to get rid of all the malicious things left behind. I believe it is because one of the user has a weak password and the hacker entered that account then run a bunch of ssh port scan and probably many other things. I have disabled that useraccount, kill all his processes, change rootpw and run chkrootkit on the machine and it reports some problems still around. The machine is now offline.

Basically I need your guidance in recover from this without complete reinstall. Thanks in advance.

... sniplet of the report from chkrootkit ,

Checking `bindshell'... INFECTED (PORTS: 4000)
Checking `lkm'... chkproc: nothing detected
Checking `rexedcs'... not found
Checking `sniffer'... eth0: not promisc and no PF_PACKET sockets
Checking `w55808'... not infected
Checking `wted'... chkwtmp: nothing deleted
Checking `scalper'... not infected
Checking `slapper'... not infected
Checking `z2'... chklastlog: nothing deleted
Checking `chkutmp'... The tty of the following user process(es) were not found
in /var/run/utmp !
! root 3460 tty4 /sbin/mingetty tty4
! root 3462 tty5 /sbin/mingetty tty5
! root 3464 tty6 /sbin/mingetty tty6
chkutmp: nothing deleted
Old 09-13-2005, 05:30 PM   #2
Registered: Nov 2002
Location: Kent, England
Distribution: Debian Testing
Posts: 19,192
Blog Entries: 4

Rep: Reputation: 475Reputation: 475Reputation: 475Reputation: 475Reputation: 475
Please do not post the same thread in more than one forum. Picking the most relevant forum and posting it once there makes it easier for other members to help you and keeps the discussion all in one place.

Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Machine compromised, now have ports opened tvn Linux - Security 4 09-21-2005 03:04 AM
Compromised machine delling81 Linux - Security 3 04-05-2005 10:20 PM
If I had a compromised machine... TheIrish Linux - Security 9 11-28-2003 01:31 PM
Which ports should be opened? ivanatora Linux - Security 8 09-28-2003 08:24 AM
Ports that are already opened? ksoma Linux - Newbie 3 06-29-2003 08:13 AM > Forums > Linux Forums > Linux - Distributions > Fedora

All times are GMT -5. The time now is 12:37 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration