Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Started out w/Redhat 6.0,7.3,then Suse 8.2 , 9.2 ,10.open suse , KNOPPIX 2.73 &5.1 & Puppy
Posts: 164
Rep:
Ksirc ,Stupid Move!!
Hello lINUX heads , Just did something REALLY stupid last nite
on my trusty REDHAT bOx. Using Rhat 6.0 with KDE , I somehow decided to "use" or abuse KsIRC ,the CHAT program that is part of INTERNET OPTIONS.
New to this chat stuff ,I did some REMOTE connections (like "undernet " out of AMSTERDAM, and a few others.
The bad part is ,Idid this under ROOT user circumstances.
Just to check out my error, I brought up terminal & typed in NETSTAT and noticed some FUNNY Ip No,s and one that is Clearly
IRC (undernet) . I also tried to "traceroute" these #,s (under network tools) and similar results .
The really Scary thing is that when I disconnect my MODEM (software -wise & physically) ,I try NETSTAT again and these same IP (irc) No,s come up again .
So what do I have , a HACKED LINUX box acting as someones SERVER ????? or worse??????
What can Ido to remedy all this shit that Igot myself into!!!!!
dont worry about what netstat says when you unplugg the modem, it will show the last connection state you had
use who or w to see what users are connected
you can kill that connection with
fuser -v -n tcp -k -i port_number
I'd be concerned that I got rooted if I was you. Especially if you reboot and notice sockets listening to odd port numbers that shouldn't be open. I would consider it a compromised box untill you made very sure that it was clean. Download and run chkrootkit to see if you can detect anything. Check /etc/passwd to see if you have any new users (users like h4z0r or 3l337 are probably not a good sign). If you had the foresight to install a file system integrity checker (like tripwire), then check your logs to see if anything significant has changed.
If you continue to notice strange activity, I would seriously think about backing up your personal files and doing a fresh reinstall. You can try and hunt down rootkits, but if you have something nasty like an LKM, you'll have a hard time.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.