Re: the port 41430?I was cracked :-(

[Muhammad Faisal Rauf Danka <mfrd attitudex com>]

Looks like there is a bot/bnc connected to Undernet IRC network through your box.

*** Resolved 205.252.46.98 to babble-on.systems.cais.net
and 
*** Resolved McLean.VA.us.undernet.org to 205.252.46.98

I suggest you unplug your server from network Immediately, then Replace the server with another server If it's an important operational server. Remember to patch the replaced server with all the patches available from RedHat errata website for your distribution and services that you run. Bytheway Default ftp in RH7.2 is indeed a vulnerable version and it's update is available on RedHat 7.2 errata website. If you backup anything from the compromised server then remember not to backup system files because they are most probably trojanned.

After you're done with your backup server, Consider doing a forensic analysis on your hacked system or take help from some Security Expert, Inorder to findout what rootkits are installed, what were the patterns and all, How did you most probably got hacked? and If it was running a bot/psyBNC from your server then you can findout his/her's bot's nick or his/her's own nick and ident, It will help you a lot in finding out who probably hacked you. It's all not necessary, If you dont want to, you can just format and re-install it as well. But If you're curious then take that step.

Regards, 
---------
Muhammad Faisal Rauf Danka

Chief Technology Officer
Gem Internet Services (Pvt) Ltd.
web: www.gem.net.pk

Vice President
Pakistan Computer Emergency Responce Team (PakCERT)
web: www.pakcert.org

Chief Security Analyst
Applied Technology Research Center (ATRC)
web: www.atrc.net.pk


--- "Huter.Liu" <huter xtu edu cn> wrote:
>hi,everyone!
>	I'm using rh7.2,but my machine is hackered recently,I open wu-ftpd and www server only,I really don't know how the hacker cracked in,I guess maybe is from wu-ftpd,the ftp server,now I found there is a tcp link:
>Proto Recv-Q Send-Q Local Address           Foreign Address         State
>tcp        0      0 My IP:41430   205.252.46.98:6667      ESTABLISHED
>What this mean?
>    the ps and netstat command is unusable,I download the psproc and net-tools rpms and upgrade the two package,so I found the strange 41430 port,but when I use ps aux|less found the running process looks like quite well,what should I do next step?
>¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡huter xtu edu cn
>¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡2002-06-02
>
>
>
>
>_______________________________________________
>Redhat-list mailing list
>Redhat-list redhat com
>https://listman.redhat.com/mailman/listinfo/redhat-list

_____________________________________________________________
---------------------------
[ATTITUDEX.COM]
http://www.attitudex.com/
---------------------------

_____________________________________________________________
Promote your group and strengthen ties to your members with email yourgroup org by Everyone.net  http://www.everyone.net/?btn=tag