[ Date Index ][
Thread Index ]
[ <= Previous by date /
thread ]
[ Next by date /
thread => ]
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Mark McRitchie wrote: | After I checked my email and had an unexpected security email informing me | about a change to the open ports on one of my boxes, I discovered a small | program running. | | The process was running under the apache user context and was executed as | "./bind" I found the executable at /tmp/.install/bind | | Whats the best place to find more information on what this could be? | | Bah. | Mark | | PS - Yes, I am going to reinstall the box. I've been planning it for a | while, but this just pushed it up my priorities! |
A good place to start would be the logs in /var/log these give all sorts of info on connections to your box etc. I had an issue a while ago where i hadn't updated sshd to use protocol version 2 only.. was broken in to, lost a load of data.. BUT /var was intact :-) i reported the connecting IP to my ISP along with copies of the logs.. then re-installed !
I personally tend to portscan my own box with nmap once in a while to see if anything is open that shouldn't be, also netstat can prove useful.
Also consider installing a firewall device.. wether hardware or software can prove efective in combating attacks. iptables/ipchains is what i used to use before my ISP change to a nice friendly lot who provide me with a firewall :-D (www.anlx.net).
Neil -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (GNU/Linux)
iD8DBQE+CoStETbMU8Wu6mERArFJAKCAFBDhyK1ijV1Gj4wFehBQrn2a/ACgiwJO I+oFa1Tkybcwusb0OcyW88w= =0BM7 -----END PGP SIGNATURE-----
-- The Mailing List for the Devon & Cornwall LUG Mail majordomo@xxxxxxxxxxxx with "unsubscribe list" in the message body to unsubscribe.