It appears that my computer has been hacked into. The following services are run periodically throughout the day. How do I go about finding out what is starting and stopping them and more importantly prevent them from being run. I have a hardware firewall between the computer and isp. 17762 root sh -c (safe_finger -l @64.213.97.247 2>&1| /bin/mail -s "in.ftpd-64.213.97.247 unknown" root) & 17763 nobody safe_finger -l @64.213.97.247 17764 root /bin/mail -s in.ftpd-64.213.97.247 unknown root 17765 nobody finger -l 64.213.97.247 17768 root /usr/sbin/sshd 17770 root sh -c (safe_finger -l @::ffff:64.213.97.247 2>&1| /bin/mail -s "sshd-::ffff:64.213.97.247 unknown" root) & 17771 nobody safe_finger -l @::ffff:64.213.97.247 17772 root /bin/mail -s sshd-::ffff:64.213.97.247 unknown root 17773 nobody finger -l ::ffff:64.213.97.247 Thanks, Mike
If your machien has been broken into, the only way to clean it up is to reformat and reinstall. They cannot trust any binary left on the system (including the kernel) so you won't truely know when you've cleaned it up. Scott On Wed, 1 May 2002, Michael Long wrote:
It appears that my computer has been hacked into. The following services are run periodically throughout the day. How do I go about finding out what is starting and stopping them and more importantly prevent them from being run.
I have a hardware firewall between the computer and isp.
17762 root sh -c (safe_finger -l @64.213.97.247 2>&1| /bin/mail -s "in.ftpd-64.213.97.247 unknown" root) & 17763 nobody safe_finger -l @64.213.97.247 17764 root /bin/mail -s in.ftpd-64.213.97.247 unknown root 17765 nobody finger -l 64.213.97.247 17768 root /usr/sbin/sshd 17770 root sh -c (safe_finger -l @::ffff:64.213.97.247 2>&1| /bin/mail -s "sshd-::ffff:64.213.97.247 unknown" root) & 17771 nobody safe_finger -l @::ffff:64.213.97.247 17772 root /bin/mail -s sshd-::ffff:64.213.97.247 unknown root 17773 nobody finger -l ::ffff:64.213.97.247
Thanks, Mike
_______________________________________________ Wlug mailing list Wlug@mail.wlug.org http://mail.wlug.org/mailman/listinfo/wlug
On Wed, May 01, 2002 at 03:55:11PM -0400, Michael Long wrote:
It appears that my computer has been hacked into. The following services are run periodically throughout the day. How do I go about finding out what is starting and stopping them and more importantly prevent them from being run.
I have a hardware firewall between the computer and isp.
17762 root sh -c (safe_finger -l @64.213.97.247 2>&1| /bin/mail -s "in.ftpd-64.213.97.247 unknown" root) & 17763 nobody safe_finger -l @64.213.97.247 17764 root /bin/mail -s in.ftpd-64.213.97.247 unknown root 17765 nobody finger -l 64.213.97.247 17768 root /usr/sbin/sshd 17770 root sh -c (safe_finger -l @::ffff:64.213.97.247 2>&1| /bin/mail -s "sshd-::ffff:64.213.97.247 unknown" root) & 17771 nobody safe_finger -l @::ffff:64.213.97.247 17772 root /bin/mail -s sshd-::ffff:64.213.97.247 unknown root 17773 nobody finger -l ::ffff:64.213.97.247
These look like commands generated by tcpwrappers. Check your /etc/hosts.allow and /etc/hosts.deny files. -- Frank Sweetser fs at wpi.edu, fs at suave.net | $ x 18 Full-time WPI Network Engineer, Part time Linux/Perl guy | Woody: What's the latest, Mr. Peterson? Norm: Zsa-Zsa marries a millionaire, Peterson drinks a beer. Film at eleven. -- Cheers, Knights of the Scimitar
participants (3)
-
Frank Sweetser -
Michael Long -
Scott Venier