From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from lists.gentoo.org ([140.105.134.102] helo=robin.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-user+bounces-69709-garchives=archives.gentoo.org@gentoo.org>)
	id 1IY5Rz-0004VR-GJ
	for garchives@archives.gentoo.org; Wed, 19 Sep 2007 19:43:07 +0000
Received: from robin.gentoo.org (localhost [127.0.0.1])
	by robin.gentoo.org (8.14.0/8.14.0) with SMTP id l8JJX7CI029927;
	Wed, 19 Sep 2007 19:33:07 GMT
Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.170])
	by robin.gentoo.org (8.14.0/8.14.0) with ESMTP id l8JJOXVk018058
	for <gentoo-user@lists.gentoo.org>; Wed, 19 Sep 2007 19:24:34 GMT
Received: by ug-out-1314.google.com with SMTP id j3so310788ugf
        for <gentoo-user@lists.gentoo.org>; Wed, 19 Sep 2007 12:24:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=beta;
        h=domainkey-signature:received:received:from:reply-to:to:subject:date:user-agent:references:in-reply-to:mime-version:content-type:content-transfer-encoding:message-id;
        bh=gZh/rh5ha92N6PIPYKWQAocXEYoOsCO1gYdpfbJhUks=;
        b=oh5svo8G1Hh1fFtBO8jecev6G/65/5CrlZUnJIia2lyGk7Dq8pdEKxyfBPumuBC9Su/jkPkvQeOLweEHkxWomLqM2pLGBICESlAEyGB1XFl/rg7WFjfzKzVpzyEUlk2gcqA5iIYTf2cixyNxj3GjmU/J+OepIOoUU8zFVNIe8MM=
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=beta;
        h=received:from:reply-to:to:subject:date:user-agent:references:in-reply-to:mime-version:content-type:content-transfer-encoding:message-id;
        b=cE7lKFK9W6EHr8rV0MC6EbOFEOtVK9TsQiiG783GSO/ik/ywWerfXktfymrBUvoNt5JmeYEUT+m4/XpyEc6D4p3+rZ61YT+z3beDJGpF49NfsVFtlqbP4xWPq9oF2bMPOR+1VQi7gEwYZ9inBk5SJohn0E8P0m7d8yHUgOgllmI=
Received: by 10.66.240.12 with SMTP id n12mr2311060ugh.1190229872718;
        Wed, 19 Sep 2007 12:24:32 -0700 (PDT)
Received: from lappy.study ( [213.162.120.196])
        by mx.google.com with ESMTPS id j33sm1441541ugc.2007.09.19.12.24.31
        (version=TLSv1/SSLv3 cipher=OTHER);
        Wed, 19 Sep 2007 12:24:31 -0700 (PDT)
From: Mick <michaelkintzios@gmail.com>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Hacked by association?
Date: Wed, 19 Sep 2007 20:23:32 +0100
User-Agent: KMail/1.9.7
References: <49bf44f10709191109x58494aa3n3182cea59553d510@mail.gmail.com> <20070919131853.5f817b31@pascal.spore.ath.cx> <49bf44f10709191136u7157bceet52b7b5b06ec9d6ac@mail.gmail.com>
In-Reply-To: <49bf44f10709191136u7157bceet52b7b5b06ec9d6ac@mail.gmail.com>
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
Content-Type: multipart/signed;
  boundary="nextPart5115016.g2Li0DKlV3";
  protocol="application/pgp-signature";
  micalg=pgp-sha1
Content-Transfer-Encoding: 7bit
Message-Id: <200709192023.34859.michaelkintzios@gmail.com>
X-Archives-Salt: 04a8f9c6-3a9f-4fbb-b323-de94e3749156
X-Archives-Hash: 13a561021a04160a9b1ed513a9820551

--nextPart5115016.g2Li0DKlV3
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

On Wednesday 19 September 2007, Grant wrote:

> I recognize everything in 'ps -ef' I think, but I've never really used
> netstat before.  Under "Active Internet connections" I don't
> recognize:
>
> tcp localhost:10030
> tcp *:snpp

Hmm, are you running postfix on this server (just a suspicion).

Also, snpp is for pagers:=20
http://en.wikipedia.org/wiki/Simple_Network_Paging_Protocol

Run # netstat -anop which will show you the process owner.  Hopefully, if=20
there is something running it will show up (clever scripts can mask=20
themselves from netstat, ps auxf, etc.).

Then run lsof (check man lsof) to see if there is anything suspicious there=
,=20
like another user logged in either as root or with a different name. =20

=46inally, ask your ISP to boot off a LiveCD and scan the machine with rkhu=
nter=20
and chrootkit.

Depending on how many thousands of tickets the database had the crackers ma=
y=20
or may have not found out about your root passwd.  On the other hand, if yo=
u=20
can't sleep at nights it is better to format and reinstall.

HTH.
=2D-=20
Regards,
Mick

--nextPart5115016.g2Li0DKlV3
Content-Type: application/pgp-signature; name=signature.asc 
Content-Description: This is a digitally signed message part.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (GNU/Linux)

iD8DBQBG8Xc25Fp0QerLYPcRAnGxAJwLAGd/bN+y50Z1IN7AQuRobOOqygCfdF1R
NioC460E6UPv81GuQv0CV10=
=JdYE
-----END PGP SIGNATURE-----

--nextPart5115016.g2Li0DKlV3--
-- 
gentoo-user@gentoo.org mailing list