Re: Didele problema. [Laboras @ 2009-11-20 19:32:05]

Tema: Re: Didele problema.
Autorius: Laboras
Data: 2009-11-20 19:32:05
Uzdaryk visu pirma ant savo dlinko visus incoming destination 6969 port.
O antra jau pirma sakiau, kad su sniferiu  paziuretum, kas daros ant interfeiso, ziurincio i tinklo vidu (cia dar pries 6969 uzdaryma).
Trecia, imi svaru serva (jei nera backup) ir permetineji i ji maila, duombazes, patikrintus webus..

"oxygen" <neturiu@mailo.px> wrote in message news:he5gau$7m2$1@trimpas.omnitel.net...
> ############################################################
> lsof -ni
> COMMAND     PID     USER   FD   TYPE DEVICE SIZE NODE NAME
> amavisd-n  2034   amavis    5u  IPv4   5768       TCP 127.0.0.1:10024 
> (LISTEN)
> mysqld     2096    mysql   13u  IPv4   5852       TCP 127.0.0.1:mysql 
> (LISTEN)
> postgrey   2153 postgrey    5u  IPv4   5986       TCP 127.0.0.1:60000 
> (LISTEN)
> couriertc  2352     root    3u  IPv6   6366       TCP *:imap2 (LISTEN)
> couriertc  2364     root    3u  IPv6   6385       TCP *:imaps (LISTEN)
> couriertc  2369     root    5u  IPv6   6401       TCP *:pop3 (LISTEN)
> couriertc  2383     root    3u  IPv6   6421       TCP *:pop3s (LISTEN)
> master     2451     root   11u  IPv4   6597       TCP *:smtp (LISTEN)
> master     2451     root   17u  IPv4   6613       TCP 127.0.0.1:10025 
> (LISTEN)
> sshd       2486     root    3u  IPv6   6775       TCP *:ssh (LISTEN)
> proftpd    2547  proftpd    1u  IPv6   6870       TCP *:ftp (LISTEN)
> apache2    2569     root    4u  IPv6   6912       TCP *:www (LISTEN)
> 3          2613     root    3u  IPv4   7090       TCP *:6969 (LISTEN)
> apache2    3874 www-data    4u  IPv6   6912       TCP *:www (LISTEN)
> amavisd-n  3903   amavis    5u  IPv4   5768       TCP 127.0.0.1:10024 
> (LISTEN)
> amavisd-n  3931   amavis    5u  IPv4   5768       TCP 127.0.0.1:10024 
> (LISTEN)
> apache2    3969 www-data    4u  IPv6   6912       TCP *:www (LISTEN)
> smtpd     17811  postfix    6u  IPv4   6597       TCP *:smtp (LISTEN)
> ############################################################
> 
> ############################################################
> lsof -p 2613
> COMMAND  PID USER   FD   TYPE DEVICE    SIZE    NODE NAME
> 3       2613 root  cwd    DIR    3,1    4096       2 /
> 3       2613 root  rtd    DIR    3,1    4096       2 /
> 3       2613 root  txt    REG    3,1  652620 3870961 /tmp/sh-DS1OXTAACRK 
> (deleted)
> 3       2613 root  mem    REG    0,0               0 [heap] (stat: No such 
> file or directory)
> 3       2613 root  mem    REG    3,1 1241392 6373382 
> /lib/tls/i686/cmov/libc-2.3.6.so
> 3       2613 root  mem    REG    3,1    9656 6373401 
> /lib/tls/i686/cmov/libutil-2.3.6.so
> 3       2613 root  mem    REG    3,1   21868 6373384 
> /lib/tls/i686/cmov/libcrypt-2.3.6.so
> 3       2613 root  mem    REG    3,1   76548 6373388 
> /lib/tls/i686/cmov/libnsl-2.3.6.so
> 3       2613 root  mem    REG    3,1   88164 6356994 /lib/ld-2.3.6.so
> 3       2613 root    0u   CHR    1,3             790 /dev/null
> 3       2613 root    1u   CHR    1,3             790 /dev/null
> 3       2613 root    2u   CHR    1,3             790 /dev/null
> 3       2613 root    3u  IPv4   7090             TCP *:6969 (LISTEN)
> ############################################################
> 
> ############################################################
> Po reboot'o pasikelia iptables "rulsai", kurie neturetu paskelti
> iptables-save
> # Generated by iptables-save v1.3.6 on Fri Nov 20 09:17:10 2009
> *filter
> :INPUT ACCEPT [137456:91136735]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [473095:177141687]
> -A INPUT -p tcp -m tcp --dport 6969 -j ACCEPT
> -A INPUT -p tcp -m tcp --dport 6969 -j ACCEPT
> COMMIT
> # Completed on Fri Nov 20 09:17:10 2009
> ############################################################
> 
> ############################################################
> Clamav'as stai ka aptinka:
> /sbin/ttymon: Trojan.Linux.Rootkit.A FOUND
> /usr/lib/libsh/shsb: Linux.LionCleaner FOUND
> /usr/bin/pstree: Trojan.Rootkit-118 FOUND
> ############################################################
> 
> ############################################################
> rkhunter --checkall
>   Rootkit 'SHV4'...                                          [ Warning! ]
> 
>             --------------------------------------------------------------------------------
>             Found parts of this rootkit/trojan by checking the default 
> files and directories
>             Please inspect the available files, by running this check with 
> the parameter
>             --createlogfile and check the log file (current file: 
> /dev/null).
>             --------------------------------------------------------------------------------
> 
> 
> [Press <ENTER> to continue]
> 
>   Rootkit 'SHV5'...                                          [ Warning! ]
> 
>             --------------------------------------------------------------------------------
>             Found parts of this rootkit/trojan by checking the default 
> files and directories
>             Please inspect the available files, by running this check with 
> the parameter
>             --createlogfile and check the log file (current file: 
> /dev/null).
>             --------------------------------------------------------------------------------
> 
> Scanned files: 342
> Possible infected files: 2
> Possible rootkits: SHV4 SHV5
> ############################################################
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> "Tadas Kvedaras" <t.kvedaras.nospam@nospam.white-hat.no_spam.eu> wrote in 
> message news:he5dii$3ps$1@trimpas.omnitel.net...
>> Viskas yra galima. ia i windozs atjo tas blogas protis reinstall 
>> windows, jei kas nebeveikia.
>>
>> Analizuoji sistem (per logus) ir iekai prieasties, atrads prieast - 
>> j paalini. Analiz matau pradjai, bet rezultat nedaug - bna ir taip.
>>
>> I viso aukiau spamo - matau, kad serveryje laikai svarbius duomenis 
>> (mons www irgi galim laikyti svarbiais duomenimis), o nedarai backup ir 
>> neturi sistemos apraymo (antraip baims, kad perinstaliavus sistem, 
>> kakas neveiks - nebt). Turi prog pasitaisyti.
>>
>> Man pavojingai skamba tavo fraz "Kiek supratau is linuxisto, imete 
>> skripta per www kazkoki, tas skriptas
>> susijes su kazkokiu portu.". Jei tai tavo administruojamas serveris - tai 
>> turtum inoti kas k deda ir kas k daro.
>>
>>
>> Dabar dl tavo problemos:
>> Panau  tinklo kort - irk dar kart logus. Paprastai logai "kaukia" 
>> (syslog, messages).
>> Rootkitai? silauliai? - Nesamon (ia greiiau kita problema, nei tavo 
>> minima). Neatmesiau tik DOS atakos.
>>
>> Esm: ufiksuok laik, kada luo (a ia taip ir nesupratau, luimas 
>> perkrauna (priverstinai) tavo sistem ar ne). Eik per logus ir irk kas 
>> vyko per pastarasias 10 min (iki luimo). Kai randi, bandai sutvarkyti 
>> arba jei nesupranti log' postink ia - kolegos gal pads (jei esmin info 
>> nuspostinsi).
>>
>> Skms
>>
>> --
>> Tadas K.
>>
>>
>> "oxygen" <neturiu@mailo.px> wrote in message 
>> news:he48k3$9l6$1@trimpas.omnitel.net...
>>> kaip manot, galima sutvarkyti esama sistema be pilno perrasymo?
>>>
>>> "ejs" <ejs@no.where> wrote in message 
>>> news:he487d$8t2$1@trimpas.omnitel.net...
>>>> krx rase:
>>>>
>>>>> O tai nafik laikyti viena serveri? Butu prabanga :-)
>>>>
>>>> Samba.
>>>>
>>>> -- 
>>>>  ejs
>>>
>>>
>>
>> 
> 
>