Find the answer to your Linux question:
Results 1 to 8 of 8
I noticed one strange open port and found out that it is listened to by inetd version 1.79s I commented out entries in my inetd.conf one by one, and I'm ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Mar 2005
    Posts
    8

    Someone hacked my inetd?


    I noticed one strange open port and found out that it is listened to by inetd version 1.79s

    I commented out entries in my inetd.conf one by one, and I'm left with one entry
    sgi_fam/1-2 stream rpc/tcp wait root /usr/sbin/famd famd
    Which I think is necessary.

    nmap still shows the following ports opened
    PORT STATE SERVICE
    25/tcp open smtp
    587/tcp open submission
    923/tcp open unknown
    6000/tcp open X11

    Each time I shut down and restart inetd, the open port changes. Below are the sequence I've tracked.

    923 944 950 956 962 968 974 980 986 992 1000 1006

    What should I do now? I use my laptop in campus, wireless connected all the time.

    I currently disabled inetd and the only open ports left are SMTP, Submission and x11.

  2. #2
    Just Joined!
    Join Date
    Mar 2005
    Posts
    8
    Just narrowed down the random port to be caused by FAM.

  3. #3
    Just Joined!
    Join Date
    Mar 2005
    Location
    Ghana
    Posts
    35
    know what? after narrowing down, which is important. Try setting up a firewall on ur box. use iptable to prevent incoming connections on the ports u normally use.

    Try installing PortSentry to track,thwart and log Intrusion on ur box. all the best man.

    urs in the PENGUIN

  4. $spacer_open
    $spacer_close
  5. #4
    Linux Enthusiast puntmuts's Avatar
    Join Date
    Dec 2004
    Location
    Republic Banana
    Posts
    562
    You could configure fam not to listen on tcp ports I believe. /edit: fam is a normal program, not some kind of hack tool.
    I\'m so tired .....
    #200472

  6. #5
    Linux Newbie
    Join Date
    Sep 2003
    Location
    St.Charles, Missouri, USA
    Posts
    201
    famd = File Alteration Monitor. It is required for more than a few progs. Some of those progs are mail servers and some wm's.
    Powered by Gentoo
    never ever ever use the hardened option in make.conf!

  7. #6
    Just Joined!
    Join Date
    Mar 2005
    Posts
    8
    I've searched and found out that the behavior is normal.

    What's a good user friendly way of maintaining firewall in linux?

    My computer is in risk, as I use it in campus all the time. However, I've tons of things on hand, and I cannot afford to spend 4-5 hours trying to read HOWTO for firewalls.. I am familiar with kernel compiling, and shell scripting.

    Preferably is there a robust GUI that I can use?

  8. #7
    Just Joined!
    Join Date
    Mar 2005
    Location
    Ghana
    Posts
    35
    Ztan

    try setting up a firewall using the iptables or ipchains. just use the following resource. www.yolinux.com. please look out for the tutorial link for index. and use LINUX INTERNET SECURITY.

    all the best send ur distro, and we will keep intouch. lets see how we cantrack down this HAT!

    urs in Linux

  9. #8
    Just Joined!
    Join Date
    Mar 2005
    Location
    Ghana
    Posts
    35

    Xinet Hacked!

    ok ztan

    let's hit on this way, lets try setting up the following

    1. using TCP wrappers
    2. securing the xinetd server
    3. implementing a SENSOR on services

    firstly we have to sure of the intruders identification <ip_addr>, then the service on the xinetd that the intrusion is made from.

    TCP Wrappers
    edit the following file /etc/hosts.deny
    add this
    a. in.telnetd:ALL:Severity amerg
    b. ALL:<ip_addr>:spwan /bin/ 'date' %c %d >> /var/log/intru_alert

    the above will save guard against the intrusion and log into the file intru_alert which u will have to create inside the /var/log

    Implementing a SENSOR
    1. select a service u really don't use like telnet.
    2. edit the /etc/xinetd/telnet and change FLAGS.
    3. add flags = SENSOR
    4. add deny_time = FOREVER (which means till xinet restarts)

    sensors can be set on any of the service u will want to set it on. But the setbacks are that the intruder can use a DoS attack on us if he knows we are using a SENSOR. a stealth scan can also not be safe guard.

    Securing the XINETD server
    edit the xinetd.conf file inside /etc
    1. cps = <no._of_connections> <wait period>
    2. instance = <no._of_connections>
    3. per_source = <no._of_connections>
    4. rlimit_as = <number [k|M]>
    5. rlimit_cpu = <no._of_seconds>

    use the MAN pages for xinetd.conf to understand the fields and implement accordingly.

    well man the best place to crack this attack is from the console, the is the power of the PENGUIN, something M$ haven't got.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •