Re: the port 41430?I was cracked :-(

[Hal Burgiss <hal foobox net>]

On Sun, Jun 02, 2002 at 09:25:01AM +0800, Huter.Liu wrote:
> hi,everyone!
>I'm using rh7.2,but my machine is hackered recently,I open wu-ftpd
>and www server only,I really don't know how the hacker cracked in,I
>guess maybe is from wu-ftpd,the ftp server,now I found there is a tcp
>link: Proto Recv-Q Send-Q Local Address           Foreign Address
>State
> tcp        0      0 My IP:41430   205.252.46.98:6667      ESTABLISHED
> What this mean?
>the ps and netstat command is unusable,I download the psproc and
>net-tools rpms and upgrade the two package,so I found the strange
>41430 port,but when I use ps aux|less found the running process looks
>like quite well,what should I do next step?

Standard procedure in such unfortunate situations:

-Unplug/disconnect from Network.
-Back up any personal data. Do _not_ back up any system files like
configuration files.
-Find installation disks, re-install while reformatting all partitions
as you go.
-Restore personal backups.
-Disable all outside/public services.
-Apply all errata updates from Red Hat or mirror.
-Re-examine local policies, i.e. 'should I run services that have a
really bad track record for exploits, and if so, how can I make this
harder for the next time'
-Re-connect to network, and run up2date at least once a day.

The reason being someone else seems to have root access on your
machine, and may have multiple backdoors that are well concealed, and
you many never find them all.

-- 
Hal Burgiss