Security Incidents mailing list archives
Xterm
From: "Yahoo - CQRMail" <cqrmail () yahoo com>
Date: Thu, 25 Oct 2001 21:58:05 -0400
My snort IDS picked up a bunch of X11 signatures: http://www.whitehats.com/info/ids126 Source IP is a random public address, Source port is 6000...random destination inside ports. I have blocked 6000 at the firewall, but I don't know where to begin tracking down what is compromised on the server. I am running Mandrake 8, only ports allowed are 80 and 22...xdm has been disabled. I didn't see much in the logs, so where should I begin? and what should I look for? I will probably rebuild the server, but I would like to see if I can find out what has been down first, so I can be prepared later... TIA...new to linux, so I apologize for my crude question, Tony _________________________________________________________ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Xterm Yahoo - CQRMail (Oct 26)
- Re: Xterm dewt (Oct 26)