Re: possibly hacked? Need some ideas please!
From: Michael Heiming (michael+USENET_at_www.heiming.de)
Date: Sat, 14 Feb 2004 20:23:32 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Andy <firstname.lastname@example.org> wrote:
> I have a remote Linux box doing file/email/web serving for
> a small office behind a hardware firewall. All of a sudden
> none of the services are responding including SSH.
> Ports 21, 22, 25, 80, 110, 143, 443, and 993 are open on the
> firewall pointing to the Linux box.
> We are using the latest ProFTPD with NO anonymous access allowed.
> I have VNC to a desktop inside the LAN and I can ping the
> Linux box at 192.168.1.100. It responds to ping!
Hopefully this is tunneled through ssh.
> But all the other services are NOT responding.
> I thought maybe the power went out and it is sitting waiting
> for filesystem check. If that was the case, it would not
Recent distro use journalizing FS like ext3.
> reply to ping right? Because the networking is not started right?
Not always, I have seen systems responding to pings in the
strangest states, so it doesn't really tell much, it should have
power and the NIC has some connection.
> I am lost and hope the box is not hacked...
> And ideas?
Only you can check, not uncommon if you have services like ftp
open to the internet using normal user accounts. You'd better try
out some rootkit checker before reconnecting the system.
Server should have a complete serial BIOS redirection with
additional possibilities to switch off/on the whole system.
Michael Heiming (GPG-Key ID: 0xEDD27B94)
Remove +SIGNS and www. if you expect an answer, sorry for
inconvenience, but I get tons of spam.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
-----END PGP SIGNATURE-----