Mailing List Archive

Support open source code!


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] hack attack from localhost?



You would have to provide more information about your machine for anyone
to make sense of your logs.

You will need to look at everything.

A quicker way is to use an existing program called  chkrootkit.
http://rr.sans.org/malicious/chkrootkit.php

Root kits popup listeners all over the place while replacing your system
tools with ones that hide the listeners process.

Root kit check checks for all types of things you would have never
thought to look at.

Also, a good internal test might be to nmap the box for the local network.

Then run netstat -lna.

If they ports don't match up, this might might indicate that your box
may have been compromised.

I think there is a freebsd port for chkrootkit.

-Ted

On Thu, Jan 31, 2002 at 11:20:44PM +0900, Sven Simon wrote:
> I got my FreeBSD set up to log connection attempts on blocked ports
> and here's what I found in /var/log/messages:
> Jan 25 03:05:43 hostname /kernel: Connection attempt to UDP 
> 127.0.0.1:512 from 127.0.0.1:1103

Ted Knab


Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links