From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Clint Todish" Subject: RE: are these enough now? Date: Fri, 4 Oct 2002 10:59:26 -0500 Sender: netfilter-admin@lists.netfilter.org Message-ID: <000001c26bbf$05365e90$731010ac@motion> References: <200210041309.g94D9ML10904@vulcan.rissington.net> Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <200210041309.g94D9ML10904@vulcan.rissington.net> Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org Cc: 'PayalR' More than likely, someone pushed over a root kit to cover their tracks...if netstat -an doesn't show 2002 open, then you can be sure of it. Chances are, they've also replaced ps as well to hide the process...try: '/usr/sbin/lsof -I udp:2002' to get the PID. If you are running a RedHat install - 'rpm -Va' and look for a '5' in the 3rd position as that indicates a MD5 checksum difference from the binary on your machine and the original package. Personally, I would recommend a reinstall as you never know for sure what may be left lurking around. -C -----Original Message----- From: netfilter-admin@lists.netfilter.org [mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Antony Stone Sent: Friday, October 04, 2002 8:09 AM To: netfilter@lists.netfilter.org Subject: Re: are these enough now? On Friday 04 October 2002 12:25 pm, PayalR wrote: > Hi all, > Thanks a lot for the mails. > > > 161 - snmp - are you managing this system from elsewhere, or is this > > machine the snmp monitor ? UDP 161 only needs to be inbound if this > > machine is being monitored from elsewhere > > Well, I don't know anyting about SNMP thing. But the guys at the > server farm suggested I make some changes as told by them in my > snmpd.conf, so that they say I there will be able to monitor my > machine. I guess so I am just a client SNMP. So, which ports to keep > open? UDP 161 inbound - to listen for SNMP commands UDP 162 outbound - to generate SNMP traps > > > Also, nmap shows that 2002/udp globe is open. Shall I close it? > > > > machine already has the Slapper worm on it, since that opens UDP > > port 2002 > > well, my machine had a slapper worm. I removed the .bugtraq file from > /tmp. Now still the port is open. This is very important to me. How do > I close the port???? nmap report says, > 2002/udp open globe > How do I know where and what is globe? How do I shut it? Sorry - don't know - never had Slapper :-) Anyone else here got any experience or pointers ? > > I would recommend setting your OUTPUT chain to ESTABLISHED,RELATED > > do you mean similar to INPUT rule i.e using -m and all? Yes. Antony. -- Behind the counter a boy with a shaven head stared vacantly into space, a dozen spikes of microsoft protruding from the socket behind his ear. - William Gibson, Neuromancer (1984)