[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]
RE: hacked?
- From: ABrady <kcsmart kc rr com>
- To: redhat-install-list redhat com
- Subject: RE: hacked?
- Date: Wed, 11 Apr 2001 01:19:36 -0500 (CDT)
On 10-Apr-01 Luis Cova opined:
>
>> I haven't read up on the adore worm. I read about the ramen and tested
>> for it. I read about the lion and tested for it (and even caught it
>> working on breaking in at 3AM). But, haven't followed this one at all.
>> I'd check it out!
>>
>> ---
>
> What did you do about the lion worm.... how did you test it,,, and
> even
> caught it....
>
> I think my server is infected.. what can i do??????
>
> WHat are the signals for detecting the lion worm
Actually, I was just sitting there doing useless stuff. My hard drive
started making noises just like it does when it downloads mail. But, it
took a couple of minutes before I noticed it was doing things at regular
intervals unlike the way the mail downloads go. I pulled up the log and
saw I was getting regular trash signals on my printer port, which also
happened to be exposed to the internet (but, with upgraded lprng files).
I traced it to a computer in Taiwan and wrote the sysadmin. I then added
the entire block to my hosts.deny to stop it completely. I still watched
the logs for awhile and it abruptly stopped.
The next day I got an email from the sysadmin that they'd found an
infected user among their subscribers and he shut it down as soon as they
contacted him.
It never actually entered my system. I just caught it probing.
There are scripts out there for checking to see if you have these. I have
a couple (mailing them to you offlist) for the 2 I checked. At least one
of them will also remove infections (the ramen, I think). But, I didn't go
too deeply into find out about the other and don't know what the symptoms
are or if there is even a fix. I do know Redhat had a link on the
webpages about protecting oneself from one of them.
I also reconfigured my exposed printer port to only allow particular ips
to have access. I was only experimenting with it in the first place and
was dumb to leave it wide open the way I did.
---
Sometimes you have to stride boldly up to life,
look it straight in the eye, and say "huh?"
[Date Prev][Date Next] [Thread Prev][Thread Next]
[Thread Index]
[Date Index]
[Author Index]