[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: rant list
yah, tighe beat me to it... your most useful utility when a box is compromised is lsof, but you do need
to make sure it's not backdoored. However, I've found in most cases when a box is compromised, it's
almost always easier to just re-install it if you aren't interested in tracking down who did it.
--Jamon Terrell
4/16/2002 12:24:17 PM, Richard Fifarek <rfifarek@silug.org> wrote:
>You should install "clean" versions of:
>lsof
>netstat
>inetd
>ps
>df
>du
>ls
>
>Also, check /etc/inittab. Something could be set to start/restart in
>there.
>
>On Tue, 16 Apr 2002, Tighe Schlottog wrote:
>
>> > Ok, could someone throw me a bone here I'm getting stumped and glassy
>> > eyed, hopefully I'm missing something obvious, while I've been loading
>> > this new server (which would have been a lot easier with backups or at
>> > least install disks), I've been digging through the compromised server,
>> > even after replacing inetd with a clean copy and removing all entry's
>> > for httpd in inetd.conf and services then restarting using the clean
>> > inetd, nmap is still showing port 80 as open, it should be, you can't
>> > hit the web page (I also did a killall httpd), so am I missing
>> > something, why can't I shut down this port???
>>
>> run this:
>>
>> lsof | grep 80
>>
>> Should report back what is bound to port 80. Have you tried netstat -a
>> --inet?
>>
>> Tighe
>>
>> --
>> Tighe w00t blumnky
>> "I am anger incarnate."
>> "Oh yeah? I toss poo."
>>
>>
>> -
>> To unsubscribe, send email to majordomo@silug.org with
>> "unsubscribe silug-discuss" in the body.
>>
>
> -----------------------------------------------------
> Richard H. Fifarek rfifarek@silug.org
> -----------------------------------------------------
>
>
>-
>To unsubscribe, send email to majordomo@silug.org with
>"unsubscribe silug-discuss" in the body.
>
-
To unsubscribe, send email to majordomo@silug.org with
"unsubscribe silug-discuss" in the body.