LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Ksirc ,Stupid Move!! (https://www.linuxquestions.org/questions/linux-security-4/ksirc-stupid-move-79588/)

chilibowl 08-06-2003 03:08 PM

Ksirc ,Stupid Move!!
 
Hello lINUX heads , Just did something REALLY stupid last nite
on my trusty REDHAT bOx. Using Rhat 6.0 with KDE , I somehow decided to "use" or abuse KsIRC ,the CHAT program that is part of INTERNET OPTIONS.

New to this chat stuff ,I did some REMOTE connections (like "undernet " out of AMSTERDAM, and a few others.

The bad part is ,Idid this under ROOT user circumstances.

Just to check out my error, I brought up terminal & typed in NETSTAT and noticed some FUNNY Ip No,s and one that is Clearly
IRC (undernet) . I also tried to "traceroute" these #,s (under network tools) and similar results .



The really Scary thing is that when I disconnect my MODEM (software -wise & physically) ,I try NETSTAT again and these same IP (irc) No,s come up again .

So what do I have , a HACKED LINUX box acting as someones SERVER ????? or worse??????


What can Ido to remedy all this shit that Igot myself into!!!!!



Regards ,chilibowl

sub_slack 08-06-2003 04:43 PM

dont worry about what netstat says when you unplugg the modem, it will show the last connection state you had
use who or w to see what users are connected
you can kill that connection with
fuser -v -n tcp -k -i port_number

also in /etc/hosts.deny add ALL : ALL

Capt_Caveman 08-06-2003 05:07 PM

I'd be concerned that I got rooted if I was you. Especially if you reboot and notice sockets listening to odd port numbers that shouldn't be open. I would consider it a compromised box untill you made very sure that it was clean. Download and run chkrootkit to see if you can detect anything. Check /etc/passwd to see if you have any new users (users like h4z0r or 3l337 are probably not a good sign). If you had the foresight to install a file system integrity checker (like tripwire), then check your logs to see if anything significant has changed.

If you continue to notice strange activity, I would seriously think about backing up your personal files and doing a fresh reinstall. You can try and hunt down rootkits, but if you have something nasty like an LKM, you'll have a hard time.


All times are GMT -5. The time now is 07:29 AM.