![]() ![]() Starting from a new hard drive, I rebuilt the server from the ground up. Then I backed up my own Website and the theatre's Website. I told them what had happened and that I would bring the server down for at least a day or so. First I notified the local LUG that was using my server for its mailing list, and the community theatre whose Website I host. But I didn't shut the server down immediately. It found several suspicious binaries that it suggested were trojans and said the machine was possibly infected with Ambient's rootkit.Īt this point I was past the denial stage. ![]() One of the security mailing lists I subscribe to (but obviously don't heed as well as I should) mentioned a tool called chkrootkit, so I downloaded, compiled, and installed it on my server (see Resources for a link). Port 31337 is the one Back Orifice most often uses. NMAP uses the service name "Elite" for anything running on port 31337. I wasn't running IRC on my server, but someone was. But your eyes are telling you that it has, that in spite of your denial you've been violated, that you're 0wn3d. Muted because you are still hoping against hope that it hasn't really happened. It is a sickening sense of muted outrage. The feeling you get in the pit of your stomach when you first suspect that your site has been cracked is similar to the feeling you get when you first discover your house has been broken into. Nmap run completed - 1 IP address (1 host up) scanned in 42 seconds Remote operating system guess: Linux 2.1.122 - 2.2.16 (The 31957 ports scanned but not shown below are in state: closed) The same scan produces markedly different results today. It took less than a minute to ruin my entire week. The image above shows the way I had NMAP configured for the scan. I was running portsentry on the server, but my desktop machine - the one I was running NMAP on - was on the portsentry ignore list so that it wouldn't simply reroute my inquisitive packets to /dev/null after I hit the first protected port. After downloading and installing BETA 21 of version 2.54 of NMAP (and its graphical frontend), I su'd to root, fired it up, and aimed a FIN stealth scan at ports 1-32000 on my server. (See Resources for links to previous columns.)Ĭall it baud karma. And just as someone out there is certain to be snickering about my network security skills, better late than never. My apologies for being late, but here it is. Then came a rare opportunity to bring together Bob Young and a player from the Dark Side in an exclusive one-on-one, which was presented last week in place of the stealth scan follow-up (see Resources for links). First came word that was moving to 's site. But between that time and the appearance of this column, two big stories got in the way. Two weeks ago I wrote about stealth scans and promised to follow up with a column on NMAP, Fyodor's wonderful open source port scanner. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |