From: "Clint Todish" <ctodish@crayon.com>
To: netfilter@lists.netfilter.org
Cc: 'PayalR' <payal@hotpop.com>
Subject: RE: are these enough now?
Date: Fri, 4 Oct 2002 10:59:26 -0500 [thread overview]
Message-ID: <000001c26bbf$05365e90$731010ac@motion> (raw)
In-Reply-To: <200210041309.g94D9ML10904@vulcan.rissington.net>
More than likely, someone pushed over a root kit to cover their
tracks...if netstat -an doesn't show 2002 open, then you can be sure of
it. Chances are, they've also replaced ps as well to hide the
process...try:
'/usr/sbin/lsof -I udp:2002' to get the PID. If you are running a RedHat
install - 'rpm -Va' and look for a '5' in the 3rd position as that
indicates a MD5 checksum difference from the binary on your machine and
the original package.
Personally, I would recommend a reinstall as you never know for sure
what may be left lurking around.
-C
-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Antony Stone
Sent: Friday, October 04, 2002 8:09 AM
To: netfilter@lists.netfilter.org
Subject: Re: are these enough now?
On Friday 04 October 2002 12:25 pm, PayalR wrote:
> Hi all,
> Thanks a lot for the mails.
>
> > 161 - snmp - are you managing this system from elsewhere, or is this
> > machine the snmp monitor ? UDP 161 only needs to be inbound if
this
> > machine is being monitored from elsewhere
>
> Well, I don't know anyting about SNMP thing. But the guys at the
> server farm suggested I make some changes as told by them in my
> snmpd.conf, so that they say I there will be able to monitor my
> machine. I guess so I am just a client SNMP. So, which ports to keep
> open?
UDP 161 inbound - to listen for SNMP commands
UDP 162 outbound - to generate SNMP traps
> > > Also, nmap shows that 2002/udp globe is open. Shall I close it?
> >
> > machine already has the Slapper worm on it, since that opens UDP
> > port 2002
>
> well, my machine had a slapper worm. I removed the .bugtraq file from
> /tmp. Now still the port is open. This is very important to me. How do
> I close the port???? nmap report says,
> 2002/udp open globe
> How do I know where and what is globe? How do I shut it?
Sorry - don't know - never had Slapper :-) Anyone else here got any
experience or pointers ?
> > I would recommend setting your OUTPUT chain to ESTABLISHED,RELATED
>
> do you mean similar to INPUT rule i.e using -m and all?
Yes.
Antony.
--
Behind the counter a boy with a shaven head stared vacantly into space,
a dozen spikes of microsoft protruding from the socket behind his ear.
- William Gibson, Neuromancer (1984)
next prev parent reply other threads:[~2002-10-04 15:59 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <200210041218.26636@.>
2002-10-04 9:47 ` are these enough now? Antony Stone
2002-10-04 11:25 ` PayalR
[not found] ` <200210041648.00792@.>
2002-10-04 13:06 ` ilimit problem HareRam
2002-10-04 13:09 ` are these enough now? Antony Stone
2002-10-04 15:22 ` PayalR
2002-10-04 15:59 ` Clint Todish [this message]
[not found] ` <200210042048.36993@.>
2002-10-04 19:13 ` Antony Stone
2002-10-04 20:32 ` Alistair Tonner
2002-10-07 9:53 ` Antony Stone
2002-10-05 11:39 ` PayalR
[not found] ` <200210051707.52456@.>
2002-10-05 13:05 ` Antony Stone
2002-10-04 13:09 ` How to Find what are the Patches installed HareRam
2002-10-04 16:46 ` Antony Stone
2002-10-04 16:06 are these enough now? Clint Todish
2002-10-04 18:34 ` Mitesh P Choksi
-- strict thread matches above, loose matches on Subject: below --
2002-10-04 7:17 PayalR
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='000001c26bbf$05365e90$731010ac@motion' \
--to=ctodish@crayon.com \
--cc=netfilter@lists.netfilter.org \
--cc=payal@hotpop.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox