Uzdaryk visu pirma ant savo dlinko visus incoming destination 6969 port. O antra jau pirma sakiau, kad su sniferiu paziuretum, kas daros ant interfeiso, ziurincio i tinklo vidu (cia dar pries 6969 uzdaryma). Trecia, imi svaru serva (jei nera backup) ir permetineji i ji maila, duombazes, patikrintus webus.. "oxygen" <neturiu@mailo.px> wrote in message news:he5gau$7m2$1@trimpas.omnitel.net... > ############################################################ > lsof -ni > COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME > amavisd-n 2034 amavis 5u IPv4 5768 TCP 127.0.0.1:10024 > (LISTEN) > mysqld 2096 mysql 13u IPv4 5852 TCP 127.0.0.1:mysql > (LISTEN) > postgrey 2153 postgrey 5u IPv4 5986 TCP 127.0.0.1:60000 > (LISTEN) > couriertc 2352 root 3u IPv6 6366 TCP *:imap2 (LISTEN) > couriertc 2364 root 3u IPv6 6385 TCP *:imaps (LISTEN) > couriertc 2369 root 5u IPv6 6401 TCP *:pop3 (LISTEN) > couriertc 2383 root 3u IPv6 6421 TCP *:pop3s (LISTEN) > master 2451 root 11u IPv4 6597 TCP *:smtp (LISTEN) > master 2451 root 17u IPv4 6613 TCP 127.0.0.1:10025 > (LISTEN) > sshd 2486 root 3u IPv6 6775 TCP *:ssh (LISTEN) > proftpd 2547 proftpd 1u IPv6 6870 TCP *:ftp (LISTEN) > apache2 2569 root 4u IPv6 6912 TCP *:www (LISTEN) > 3 2613 root 3u IPv4 7090 TCP *:6969 (LISTEN) > apache2 3874 www-data 4u IPv6 6912 TCP *:www (LISTEN) > amavisd-n 3903 amavis 5u IPv4 5768 TCP 127.0.0.1:10024 > (LISTEN) > amavisd-n 3931 amavis 5u IPv4 5768 TCP 127.0.0.1:10024 > (LISTEN) > apache2 3969 www-data 4u IPv6 6912 TCP *:www (LISTEN) > smtpd 17811 postfix 6u IPv4 6597 TCP *:smtp (LISTEN) > ############################################################ > > ############################################################ > lsof -p 2613 > COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME > 3 2613 root cwd DIR 3,1 4096 2 / > 3 2613 root rtd DIR 3,1 4096 2 / > 3 2613 root txt REG 3,1 652620 3870961 /tmp/sh-DS1OXTAACRK > (deleted) > 3 2613 root mem REG 0,0 0 [heap] (stat: No such > file or directory) > 3 2613 root mem REG 3,1 1241392 6373382 > /lib/tls/i686/cmov/libc-2.3.6.so > 3 2613 root mem REG 3,1 9656 6373401 > /lib/tls/i686/cmov/libutil-2.3.6.so > 3 2613 root mem REG 3,1 21868 6373384 > /lib/tls/i686/cmov/libcrypt-2.3.6.so > 3 2613 root mem REG 3,1 76548 6373388 > /lib/tls/i686/cmov/libnsl-2.3.6.so > 3 2613 root mem REG 3,1 88164 6356994 /lib/ld-2.3.6.so > 3 2613 root 0u CHR 1,3 790 /dev/null > 3 2613 root 1u CHR 1,3 790 /dev/null > 3 2613 root 2u CHR 1,3 790 /dev/null > 3 2613 root 3u IPv4 7090 TCP *:6969 (LISTEN) > ############################################################ > > ############################################################ > Po reboot'o pasikelia iptables "rulsai", kurie neturetu paskelti > iptables-save > # Generated by iptables-save v1.3.6 on Fri Nov 20 09:17:10 2009 > *filter > :INPUT ACCEPT [137456:91136735] > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [473095:177141687] > -A INPUT -p tcp -m tcp --dport 6969 -j ACCEPT > -A INPUT -p tcp -m tcp --dport 6969 -j ACCEPT > COMMIT > # Completed on Fri Nov 20 09:17:10 2009 > ############################################################ > > ############################################################ > Clamav'as stai ka aptinka: > /sbin/ttymon: Trojan.Linux.Rootkit.A FOUND > /usr/lib/libsh/shsb: Linux.LionCleaner FOUND > /usr/bin/pstree: Trojan.Rootkit-118 FOUND > ############################################################ > > ############################################################ > rkhunter --checkall > Rootkit 'SHV4'... [ Warning! ] > > -------------------------------------------------------------------------------- > Found parts of this rootkit/trojan by checking the default > files and directories > Please inspect the available files, by running this check with > the parameter > --createlogfile and check the log file (current file: > /dev/null). > -------------------------------------------------------------------------------- > > > [Press <ENTER> to continue] > > Rootkit 'SHV5'... [ Warning! ] > > -------------------------------------------------------------------------------- > Found parts of this rootkit/trojan by checking the default > files and directories > Please inspect the available files, by running this check with > the parameter > --createlogfile and check the log file (current file: > /dev/null). > -------------------------------------------------------------------------------- > > Scanned files: 342 > Possible infected files: 2 > Possible rootkits: SHV4 SHV5 > ############################################################ > > > > > > > > > > > > > > "Tadas Kvedaras" <t.kvedaras.nospam@nospam.white-hat.no_spam.eu> wrote in > message news:he5dii$3ps$1@trimpas.omnitel.net... >> Viskas yra galima. ia i windozs atjo tas blogas protis reinstall >> windows, jei kas nebeveikia. >> >> Analizuoji sistem (per logus) ir iekai prieasties, atrads prieast - >> j paalini. Analiz matau pradjai, bet rezultat nedaug - bna ir taip. >> >> I viso aukiau spamo - matau, kad serveryje laikai svarbius duomenis >> (mons www irgi galim laikyti svarbiais duomenimis), o nedarai backup ir >> neturi sistemos apraymo (antraip baims, kad perinstaliavus sistem, >> kakas neveiks - nebt). Turi prog pasitaisyti. >> >> Man pavojingai skamba tavo fraz "Kiek supratau is linuxisto, imete >> skripta per www kazkoki, tas skriptas >> susijes su kazkokiu portu.". Jei tai tavo administruojamas serveris - tai >> turtum inoti kas k deda ir kas k daro. >> >> >> Dabar dl tavo problemos: >> Panau tinklo kort - irk dar kart logus. Paprastai logai "kaukia" >> (syslog, messages). >> Rootkitai? silauliai? - Nesamon (ia greiiau kita problema, nei tavo >> minima). Neatmesiau tik DOS atakos. >> >> Esm: ufiksuok laik, kada luo (a ia taip ir nesupratau, luimas >> perkrauna (priverstinai) tavo sistem ar ne). Eik per logus ir irk kas >> vyko per pastarasias 10 min (iki luimo). Kai randi, bandai sutvarkyti >> arba jei nesupranti log' postink ia - kolegos gal pads (jei esmin info >> nuspostinsi). >> >> Skms >> >> -- >> Tadas K. >> >> >> "oxygen" <neturiu@mailo.px> wrote in message >> news:he48k3$9l6$1@trimpas.omnitel.net... >>> kaip manot, galima sutvarkyti esama sistema be pilno perrasymo? >>> >>> "ejs" <ejs@no.where> wrote in message >>> news:he487d$8t2$1@trimpas.omnitel.net... >>>> krx rase: >>>> >>>>> O tai nafik laikyti viena serveri? Butu prabanga :-) >>>> >>>> Samba. >>>> >>>> -- >>>> ejs >>> >>> >> >> > >