Firewall Wizards mailing list archives
Re: rpc.statd message log
From: "Robert E. Martin" <rmartin () fishburne org>
Date: Fri, 02 May 2003 08:13:45 -0400
Prashant Desai wrote:
I have since shut down the rpc.statd service, bumped up the firewall rules, started working on a new set of firewall rules and the hacking seems to have calmed down for now. Also, I would like to take this opportunity to say thanks to everyone on the list for their help and support. Without a list like this, I, and I'm sure so many others, would not be able to get the things done that I need to do. This is an invauable support venue for me and I just wanted to say that I appreciate all the help and knowledge I have recieved from it.dont forget to check the /dev dirs and history file /logs many time intruder forgets to delete the historyfile and installs the bins under /dev best luck prashant --- Devdas Bhagat <devdas () dvb homelinux org> wrote:On 24/04/03 12:05 -0400, Robert E. Martin wrote: <snip>but do not find anyI believe that the machine has been compromised,Detection Checklist. I have IIRC, you use Linux. What distro ( RH 6.2? ). Patch level?trace using cert.org recommended IntruderRun chrootkit, and validate checksums for binaries from a clean booted system (not booted from the possibly compromised disk) using an alternate md5sum and kernel binary.stopped the rpc.statd service, since we don't usethis at ALL! That should have been stopped as part of OS hardening itself. Devdas Bhagathttp://www.kb.cert.org/vuls/id/34043 Any thoughts? Anyone? -- Robert E Martin IT Manager Fishburne Military School rmartin () fishburne org 540.946.7726 _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs comhttp://honor.icsalabs.com/mailman/listinfo/firewall-wizards_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs comhttp://honor.icsalabs.com/mailman/listinfo/firewall-wizards __________________________________ Do you Yahoo!? The New Yahoo! Search - Faster. Easier. Bingo. http://search.yahoo.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Thanks a lot guys!! ( warm and fuzzies all around) -- Robert E Martin IT Manager Fishburne Military School rmartin () fishburne org 540.946.7726 _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: rpc.statd message log Prashant Desai (May 01)
- Re: rpc.statd message log Robert E. Martin (May 02)