RE: are these enough now?

["Clint Todish" <ctodish@crayon.com>]

'/usr/sbin/lsof -i udp:2002' - sorry - M$OUTLOOK wants to cap that -i
for some reason.

-C 


-----Original Message-----
From: Clint Todish [mailto:ctodish@crayon.com] 
Sent: Friday, October 04, 2002 10:59 AM
To: 'netfilter@lists.netfilter.org'
Cc: 'PayalR'
Subject: RE: are these enough now?


More than likely, someone pushed over a root kit to cover their
tracks...if netstat -an doesn't show 2002 open, then you can be sure of
it. Chances are, they've also replaced ps as well to hide the
process...try: '/usr/sbin/lsof -I udp:2002' to get the PID. If you are
running a RedHat install - 'rpm -Va' and look for a '5' in the 3rd
position as that indicates a MD5 checksum difference from the binary on
your machine and the original package. 

Personally, I would recommend a reinstall as you never know for sure
what may be left lurking around.

-C

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Antony Stone
Sent: Friday, October 04, 2002 8:09 AM
To: netfilter@lists.netfilter.org
Subject: Re: are these enough now?


On Friday 04 October 2002 12:25 pm, PayalR wrote:

> Hi all,
> Thanks a lot for the mails.
>
> > 161 - snmp - are you managing this system from elsewhere, or is this
> > machine the snmp monitor ?   UDP 161 only needs to be inbound if
this
> > machine is being monitored from elsewhere
>
> Well, I don't know anyting about SNMP thing. But the guys at the
> server farm suggested I make some changes as told by them in my 
> snmpd.conf, so that they say I there will be able to monitor my 
> machine. I guess so I am just a client SNMP. So, which ports to keep 
> open?

UDP 161 inbound - to listen for SNMP commands
UDP 162 outbound - to generate SNMP traps

> > > Also, nmap shows that 2002/udp globe is open. Shall I close it?
> >
> > machine already has the Slapper worm on it, since that opens UDP
> > port 2002
>
> well, my machine had a slapper worm. I removed the .bugtraq file from
> /tmp. Now still the port is open. This is very important to me. How do

> I close the port???? nmap report says,
> 2002/udp   open        globe
> How do I know where and what is globe? How do I shut it?

Sorry - don't know - never had Slapper :-)   Anyone else here got any 
experience or pointers ?

> > I would recommend setting your OUTPUT chain to ESTABLISHED,RELATED
>
> do you mean similar to INPUT rule i.e using -m and all?

Yes.

Antony.

-- 

Behind the counter a boy with a shaven head stared vacantly into space,
a dozen spikes of microsoft protruding from the socket behind his ear.

 - William Gibson, Neuromancer (1984)