Re: possibly hacked? Need some ideas please!

From: Michael Heiming (michael+USENET_at_www.heiming.de)
Date: 02/14/04 

Date: Sat, 14 Feb 2004 20:23:32 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Andy <none@nofdnsfds.com> wrote:

> I have a remote Linux box doing file/email/web serving for
> a small office behind a hardware firewall. All of a sudden
> none of the services are responding including SSH.

> Ports 21, 22, 25, 80, 110, 143, 443, and 993 are open on the
> firewall pointing to the Linux box.

> We are using the latest ProFTPD with NO anonymous access allowed.

> I have VNC to a desktop inside the LAN and I can ping the
> Linux box at 192.168.1.100. It responds to ping!

Hopefully this is tunneled through ssh.

> But all the other services are NOT responding.

> I thought maybe the power went out and it is sitting waiting
> for filesystem check. If that was the case, it would not

Recent distro use journalizing FS like ext3.

> reply to ping right? Because the networking is not started right?

Not always, I have seen systems responding to pings in the
strangest states, so it doesn't really tell much, it should have
power and the NIC has some connection.

> I am lost and hope the box is not hacked...

> And ideas?

Only you can check, not uncommon if you have services like ftp
open to the internet using normal user accounts. You'd better try
out some rootkit checker before reconnecting the system.

BTW
Server should have a complete serial BIOS redirection with
additional possibilities to switch off/on the whole system.

- --
Michael Heiming (GPG-Key ID: 0xEDD27B94)

Remove +SIGNS and www. if you expect an answer, sorry for
inconvenience, but I get tons of spam.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFALnWyAkPEju3Se5QRAsOoAJ9IoAxEV18n7JklWyi01wIo/FDcmACfX2Wr
XY8B1gK4o2Op+hSnZJ5qlQo=
=yR7O
-----END PGP SIGNATURE-----

Relevant Pages

  • Re: possibly hacked? Need some ideas please!
    ... >> a small office behind a hardware firewall. ... >> none of the services are responding including SSH. ... It responds to ping! ... >> I thought maybe the power went out and it is sitting waiting ...
    (alt.os.linux)
  • Re: possibly hacked? Need some ideas please!
    ... > a small office behind a hardware firewall. ... > none of the services are responding including SSH. ... > firewall pointing to the Linux box. ... It responds to ping! ...
    (alt.os.linux)
  • Re: possibly hacked? Need some ideas please!
    ... > a small office behind a hardware firewall. ... > none of the services are responding including SSH. ... > firewall pointing to the Linux box. ... It responds to ping! ...
    (alt.os.linux)
  • Re: possibly hacked? Need some ideas please!
    ... >>a small office behind a hardware firewall. ... >>none of the services are responding including SSH. ... > state that it responded to ping but nothing else worked. ... There are network cards with it's own BIOS, those will respond on pings as ...
    (alt.os.linux)
  • Re: Solaris 8 - ndd /dev/tcp Deciphering anyone?
    ... During one, inside the server (that is not responding to ping, ssh) ... Some of the tcp connections are in state: ...
    (comp.unix.solaris)