Re: [SLUG] OK it's my faul - Help I've been hacked

From: Mike Manchester (mchester@yahoo.com)
Date: Tue Aug 28 2001 - 06:39:33 EDT

OK, for the time being I've turned off the ftp port and the ssh port on the router and this has stopped the network activity. But has created another and I can't seem to find it. I'm getting Zombies. Though I'm not sure they are realted to the attack, I
just never had them before the attack. Anyway they seem to be reporducing about every 2 mins. Is there any way to find out process is creating these zombies? So I can get rid of them? Also how do you check a port with telnet. Some of the ones I checked
timed out and gave me a message about the type of port it was. But one of the ports is "listening" and it won't timeout or give me back any information.

Thanks
Mike M.

Brett Simpson wrote:

> Maybe when you were hacked it added another daemon to run on another port other than ftp. Use a port scanner like nmap to check for any other ports being open. Once you see something odd you may be able to use telnet to check out what it responds with.
>
> nmap -p 1-65535 localhost
> nmap -sU -p 1-65535 localhost
> telnet localhost port
>
> >>> mchester@yahoo.com 08/27/01 03:49PM >>>
> OK it's my fault. I was playing around with anonymous ftp and forgot to kill ftp when I
> was done. This morning I noticed I had a lot of activity on my hub and My son was at work.
> So I knew it was him. So looking at my logs I found this.
> Sun Aug 26 22:10:42 2001 201 acaen-101-1-3-7.abo.wanadoo.fr 3223552
> /data/anonymous/COM1_/SCAN/TAGG/UP/BY/PuppetMaster/Le_pactes_des_Loups_/CD1/le_pacte_des_loup_part1_(divx4.0_2_pass__AC3).00.r41
> b _ i g ftp ftp 0 * c
>
> So I promptly stopped ftp and removed the abover dir. Note it wouldn't let me remove COM1_
> dir so I deleted the whole tree /data/anonymous.
>
> Now my question is since ftp is no longer running and I've removed the anonymous dir why
> does my log now showed this? The time is at least 2 hours after I shut off the anonymous
> access.
> Mon Aug 27 12:10:15 2001 56 acaen-101-1-3-7.abo.wanadoo.fr 906840
> /data/anonymous/COM1_/SCAN/TAGG/UP/BY/PuppetMaster/Le_pactes_des_Loups_/CD2/le_pacte_des_loup_part2_(divx4.0_2_pass__AC3).00.r00
> b _ i g ftp ftp 0 * c
>
> How can they still be xfering files that no longer exist on my system? Well at least they
> aren't in the /data/anonymous dir tree.
>
> If I try to ftp to my machine using anonymous I receive this message. 530 Can't set guest
> privileges.
> Login failed. Which I would expect as I removed the anonymous ftp userid. So how can
> these script kiddies still be getting in?
>
> And whats a good program to use to find this kind of stuff? I'm not sure how long this
> would have went on if I hadn't noticed my hub lites working so hard.
>
> Thanks
> Mike M.
>
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com

_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com

This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:09:16 EDT