LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-06-2003, 02:08 PM   #1
chilibowl
Member
 
Registered: Sep 2002
Location: woodstock-kingston ,ny usa
Distribution: Started out Ma R dhat 6.0 , then Suse 8.2 , 9.2 ,10.open suse , KNOPPIX 2.73 &5.1 DVD any Live dis
Posts: 147

Rep: Reputation: 15
Unhappy Ksirc ,Stupid Move!!


Hello lINUX heads , Just did something REALLY stupid last nite
on my trusty REDHAT bOx. Using Rhat 6.0 with KDE , I somehow decided to "use" or abuse KsIRC ,the CHAT program that is part of INTERNET OPTIONS.

New to this chat stuff ,I did some REMOTE connections (like "undernet " out of AMSTERDAM, and a few others.

The bad part is ,Idid this under ROOT user circumstances.

Just to check out my error, I brought up terminal & typed in NETSTAT and noticed some FUNNY Ip No,s and one that is Clearly
IRC (undernet) . I also tried to "traceroute" these #,s (under network tools) and similar results .



The really Scary thing is that when I disconnect my MODEM (software -wise & physically) ,I try NETSTAT again and these same IP (irc) No,s come up again .

So what do I have , a HACKED LINUX box acting as someones SERVER ????? or worse??????


What can Ido to remedy all this shit that Igot myself into!!!!!



Regards ,chilibowl
 
Old 08-06-2003, 03:43 PM   #2
sub_slack
Member
 
Registered: Jul 2003
Distribution: slackware
Posts: 56

Rep: Reputation: 15
dont worry about what netstat says when you unplugg the modem, it will show the last connection state you had
use who or w to see what users are connected
you can kill that connection with
fuser -v -n tcp -k -i port_number

also in /etc/hosts.deny add ALL : ALL
 
Old 08-06-2003, 04:07 PM   #3
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
I'd be concerned that I got rooted if I was you. Especially if you reboot and notice sockets listening to odd port numbers that shouldn't be open. I would consider it a compromised box untill you made very sure that it was clean. Download and run chkrootkit to see if you can detect anything. Check /etc/passwd to see if you have any new users (users like h4z0r or 3l337 are probably not a good sign). If you had the foresight to install a file system integrity checker (like tripwire), then check your logs to see if anything significant has changed.

If you continue to notice strange activity, I would seriously think about backing up your personal files and doing a fresh reinstall. You can try and hunt down rootkits, but if you have something nasty like an LKM, you'll have a hard time.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
KSirc users... subaruwrx Linux - Software 3 05-10-2006 09:03 PM
KSirc problems vinceo03 Linux - General 0 10-06-2005 01:45 PM
Using an IRC Proxy with KSIRC arun79 Linux - Software 0 08-02-2003 12:48 PM
Potentially stupid question: how to move glib? paavaka Linux - General 4 02-18-2002 08:23 AM
ksirc vicente Linux - General 1 02-04-2002 05:35 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:21 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration