Someone hacked my inetd?
I noticed one strange open port and found out that it is listened to by inetd version 1.79s
I commented out entries in my inetd.conf one by one, and I'm left with one entry
sgi_fam/1-2 stream rpc/tcp wait root /usr/sbin/famd famd
Which I think is necessary.
nmap still shows the following ports opened
PORT STATE SERVICE
25/tcp open smtp
587/tcp open submission
923/tcp open unknown
6000/tcp open X11
Each time I shut down and restart inetd, the open port changes. Below are the sequence I've tracked.
923 944 950 956 962 968 974 980 986 992 1000 1006
What should I do now? I use my laptop in campus, wireless connected all the time.
I currently disabled inetd and the only open ports left are SMTP, Submission and x11.
Just narrowed down the random port to be caused by FAM.
know what? after narrowing down, which is important. Try setting up a firewall on ur box. use iptable to prevent incoming connections on the ports u normally use.
Try installing PortSentry to track,thwart and log Intrusion on ur box. all the best man.
urs in the PENGUIN
You could configure fam not to listen on tcp ports I believe. /edit: fam is a normal program, not some kind of hack tool.
famd = File Alteration Monitor. It is required for more than a few progs. Some of those progs are mail servers and some wm's.
I've searched and found out that the behavior is normal.
What's a good user friendly way of maintaining firewall in linux?
My computer is in risk, as I use it in campus all the time. However, I've tons of things on hand, and I cannot afford to spend 4-5 hours trying to read HOWTO for firewalls.. I am familiar with kernel compiling, and shell scripting.
Preferably is there a robust GUI that I can use?
try setting up a firewall using the iptables or ipchains. just use the following resource. www.yolinux.com. please look out for the tutorial link for index. and use LINUX INTERNET SECURITY.
all the best send ur distro, and we will keep intouch. lets see how we cantrack down this HAT!
urs in Linux
let's hit on this way, lets try setting up the following :x
1. using TCP wrappers
2. securing the xinetd server
3. implementing a SENSOR on services
firstly we have to sure of the intruders identification <ip_addr>, then the service on the xinetd that the intrusion is made from.
edit the following file /etc/hosts.deny
a. in.telnetd:ALL:Severity amerg
b. ALL:<ip_addr>:spwan /bin/ 'date' %c %d >> /var/log/intru_alert
the above will save guard against the intrusion and log into the file intru_alert which u will have to create inside the /var/log :idea:
Implementing a SENSOR
1. select a service u really don't use like telnet.
2. edit the /etc/xinetd/telnet and change FLAGS.
3. add flags = SENSOR
4. add deny_time = FOREVER (which means till xinet restarts)
sensors can be set on any of the service u will want to set it on. But the setbacks are that the intruder can use a DoS attack on us if he knows we are using a SENSOR. a stealth scan can also not be safe guard.
Securing the XINETD server
edit the xinetd.conf file inside /etc
1. cps = <no._of_connections> <wait period>
2. instance = <no._of_connections>
3. per_source = <no._of_connections>
4. rlimit_as = <number [k|M]>
5. rlimit_cpu = <no._of_seconds>
use the MAN pages for xinetd.conf to understand the fields and implement accordingly.
well man the best place to crack this attack is from the console, the is the power of the PENGUIN, something M$ haven't got. :wink: