Re: Xterm

[dewt <dewt () kc rr com>]

On Thursday 25 October 2001 08:58 pm, Yahoo - CQRMail wrote:
> My snort IDS picked up a bunch of X11 signatures:
> http://www.whitehats.com/info/ids126
> Source IP is a random public address, Source port is 6000...random
> destination inside ports.
>
> I have blocked 6000 at the firewall, but I don't know where to begin
> tracking down what is compromised on the server. I am running Mandrake 8,
> only ports allowed are 80 and 22...xdm has been disabled.
>
> I didn't see much in the logs, so where should I begin? and what should I
> look for?
>
> I will probably rebuild the server, but I would like to see if I can find
> out what has been down first, so I can be prepared later...
>
> TIA...new to linux, so I apologize for my crude question,
> Tony
the snort rule for it is pretty vague and looks prone to false positives, it 
could just have been legitmate traffic, but of course you should still look 
into it, try using nmap or some other scanner on one of the machines and see 
if port 6000 is open on that. also look in your /etc/shadow and /etc/passwd 
for accounts that shouldnt be there or accounts with passwords that shouldn't 
have them, also look in the .ssh directory in each users home directory and 
see if any of them have a authorized_keys2 file, if they do that's bad unless 
you set that up =P

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com