Re: [SLUG] OK it's my faul - Help I've been hacked

From: Brett Simpson (Simpsonb@hillsboroughcounty.org)
Date: Tue Aug 28 2001 - 10:48:16 EDT


One command shows your open TCP ports and the other shows your open UDP ports.

>>> pwgrant@yahoo.com 08/27/01 10:12PM >>>
Why do the two commands give slightly different results on the same box?
----- Original Message -----
From: "Brett Simpson" <Simpsonb@hillsboroughcounty.org>
To: <slug@nks.net>; <mchester@yahoo.com>
Sent: Monday, August 27, 2001 4:42 PM
Subject: Re: [SLUG] OK it's my faul - Help I've been hacked

> Maybe when you were hacked it added another daemon to run on another port
other than ftp. Use a port scanner like nmap to check for any other ports
being open. Once you see something odd you may be able to use telnet to
check out what it responds with.
>
> nmap -p 1-65535 localhost
> nmap -sU -p 1-65535 localhost
> telnet localhost port
>
> >>> mchester@yahoo.com 08/27/01 03:49PM >>>
> OK it's my fault. I was playing around with anonymous ftp and forgot to
kill ftp when I
> was done. This morning I noticed I had a lot of activity on my hub and My
son was at work.
> So I knew it was him. So looking at my logs I found this.
> Sun Aug 26 22:10:42 2001 201 acaen-101-1-3-7.abo.wanadoo.fr 3223552
>
/data/anonymous/COM1_/SCAN/TAGG/UP/BY/PuppetMaster/Le_pactes_des_Loups_/CD1/
le_pacte_des_loup_part1_(divx4.0_2_pass__AC3).00.r41
> b _ i g ftp ftp 0 * c
>
> So I promptly stopped ftp and removed the abover dir. Note it wouldn't let
me remove COM1_
> dir so I deleted the whole tree /data/anonymous.
>
> Now my question is since ftp is no longer running and I've removed the
anonymous dir why
> does my log now showed this? The time is at least 2 hours after I shut off
the anonymous
> access.
> Mon Aug 27 12:10:15 2001 56 acaen-101-1-3-7.abo.wanadoo.fr 906840
>
/data/anonymous/COM1_/SCAN/TAGG/UP/BY/PuppetMaster/Le_pactes_des_Loups_/CD2/
le_pacte_des_loup_part2_(divx4.0_2_pass__AC3).00.r00
> b _ i g ftp ftp 0 * c
>
> How can they still be xfering files that no longer exist on my system?
Well at least they
> aren't in the /data/anonymous dir tree.
>
> If I try to ftp to my machine using anonymous I receive this message. 530
Can't set guest
> privileges.
> Login failed. Which I would expect as I removed the anonymous ftp userid.
So how can
> these script kiddies still be getting in?
>
> And whats a good program to use to find this kind of stuff? I'm not sure
how long this
> would have went on if I hadn't noticed my hub lites working so hard.
>
> Thanks
> Mike M.
>
>
>
>
> _________________________________________________________
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
>
>

_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:09:39 EDT