Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: pnscan running but not installed
Special Forums Cybersecurity pnscan running but not installed Post 302613491 by seanhogge on Tuesday 27th of March 2012 04:24:11 PM
Old 03-27-2012
Quote:
While it seems to be a reflex both new and seasoned Linux admins fall for and while information can be gleaned from existing files, killing processes without recording details first does not help or help speed up the fact-finding process as clues like deleted files on open file descriptors and environment information like user details, working directory and connection data is lost.
While I would love to leave a port scanner running on my system while I gather details ineptly, I must disagree with the generalization of this statement. My first priority is to stop whatever malicious activity may be occurring on my server that may be affecting the well-being of someone else's server. In this case, my regard for other system administrators trumps my love of data.

Quote:
the best thing to do is do nothing.
Again, when AT&T, abuse networks and other sysadmins are emailing me, this is actually the opposite of what anyone should do.

Quote:
as "anything obviously fishy" doesn't convey much
I agree. Data trumps anecdotes. However, I'm not asking anyone else to diagnose the problem. That statement was merely an indication that the log files aren't flashing "WARNING: INTRUDER" type messages. I was hoping someone might suggest which logs were most likely to contain information, and what this type of problem might look like in them.

Your suggestion about utmp, wtmp, lastlog, etc is sound, and that will certainly be a step I take.

The last command revealed two logins without IPs under my personal login. Perhaps that's meaningless, but the limited number of places I log in from all have IPs recorded.

I also realized that this production server had many settings cloned from a development server. Which means that non-root user had sudo access, and ssh was accepting passwords and PAM.

I have since switched SSH to key auth only, completely removed any and all non-system users from sudo-enabled groups, as well as revisited my iptables firewall. I haven't been able to correctly limit the OUTPUT chain without killing web services, but I'll keep researching.

At this point, I have seen no other logins, no rogue processes and the victims have reported the port scanning as ceased. That's enough for a tentative declaration of "fixed" while I dig deeper.

---------- Post updated at 03:24 PM ---------- Previous update was at 09:49 AM ----------

Here's another interesting development. I have found that the system looks to be sending out requests that computers all over the internal network answer on port 8080. When I plug the network cable in, the flood begins. When I unplug, it stops.

When I moved all functionality to another server, and booted into a LiveCD to reinstall the OS from scratch? It's still doing it. Plug network in, traffic surge. Unplug, traffic stops.

I'm in the process of capturing the outbound data (only had the inbound answer) to get more info. But it seems that whatever this infection is, it runs at boot time. Has anyone ever experienced something like this?
 

10 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

How to prevent job1 from running while job2 is running..

Hi, Please I need your expert advise on how to prevent/lock from execution job1 while job2 is still running in Unix... THanks:) (3 Replies)
Discussion started by: tikang
3 Replies

2. UNIX for Dummies Questions & Answers

how to know if oracle is installed ?

can anyone please tell me how to know whether oracle is installed in unix? what is the path to check if oracle is installed or not? (2 Replies)
Discussion started by: soujanya_srk
2 Replies

3. Programming

No dbx installed

I have a problem whith dbx: there is no dbx installed!!! Could someone tell me where do i get dbx program and how to install it? Thanks. (1 Reply)
Discussion started by: calloc
1 Replies

4. Linux

Get the OS Installed date

Hi, How to get OS installed date in Linux using terminal command? Thanks is advance (3 Replies)
Discussion started by: forumguest
3 Replies

5. UNIX for Advanced & Expert Users

Firewall installed

Hi Friends, I have installed Web App Server(WAS) on Linux box, but unable to launch webinterface from IE. I have a doubt that there is a firewall installed on the Linux box. How can I verify that there is no firewall installed on the machine where WAS is installed (Linux machine). ... (1 Reply)
Discussion started by: NARESH1302
1 Replies

6. AIX

OS Patches installed but they seem as not installed

Hello everyone: I've installed an OS patch into AIX 6.1 by running the following command: instfix -d /tmp/6100-02-03 -k "IZ41855" however it seem not installed instfix -i -k "IZ41855" There was no data for IZ41855 in the fix database. what am I doing wrong? (8 Replies)
Discussion started by: edgarvm
8 Replies

7. AIX

aioo seems to be not installed

Hi everyone: I've a server running AIX 6.1 which had initialy technology level =0, after an upgrade oslevel -s reports that it was increased to 6100-04-02, however after doing this the aioo command seems to be not present, what did I do wrong? edit: lslpp shows bos.rte.aio was installed: ... (1 Reply)
Discussion started by: edgarvm
1 Replies

8. Red Hat

Trouble with installed / not installed rpm unixODBC/libodbc.so.1

Hey there, i run 1: on my server (RHEL 6) and getting response that the libodbc is not installed. If i use yum for installation, it tells me, there is no package like this ( 2: ). Since in the description of Definiens is mentioned that the Run-time dependency is unixODBC (libodbc.so.1), I assume... (2 Replies)
Discussion started by: rkirsten
2 Replies

9. OS X (Apple)

Just installed El Capitan...

Just updated from Yosemite to El Capitan on my iMac... What an improvement! The front end is really slick now on this tool... Still using OSX 10.7.5 on my laptop and the Applescript code inside AudioScope.sh is now broken under El Capitan but the rest of AudioScope.sh works on it...... (4 Replies)
Discussion started by: wisecracker
4 Replies

10. UNIX for Beginners Questions & Answers

Bash find version of an installed application but if none is found set variable to App Not Installed

Hello Forum, I'm issuing a one line bash command to look for the version of an installed application and saving the result to a variable like so: APP=application --version But if the application is not installed I want to return to my variable that the Application is not installed. So I'm... (2 Replies)
Discussion started by: greavette
2 Replies

LEARN ABOUT SUNOS

asadmin-create-connector-security-map

asadmin-create-connector-security-map(1AS)			   User Commands			asadmin-create-connector-security-map(1AS)

NAME

       asadmin-create-connector-security-map, create-connector-security-map - creates a security map for the named connector connection pool

SYNOPSIS

       create-connector-security-map  --user admin_user [--password admin_password] [--host localhost] [--port 4848] [--secure|-s] [--passwordfile
       filename] [--terse=false] [--echo=false] [--interactive=true] --poolname connector_connection_pool_name --principals principal-name[, prin-
       cipal-name]*|--usergroups user-group[, user-group]* --mappedusername user_name [--mappedpassword password] mapname

       Creates	a  security  map  for the named connector connection pool. If the security map is not present, one is created. You must have first
       created a connector connection pool using the create-connector-connection-pool command. The enterprise information  system  is  any  system
       which holds the information. It can be a mainframe, a messaging system, a database system, or even an application.

       The --principals option and --usergroups option are mutually exclusive; only one should be used.

       This command is supported in remote mode only.

OPTIONS

       --user		       authorized domain application server administrative username.

       --password	       password to administer the domain application server.

       --host		       machine name where the domain application server is running.

       --port		       port number of the domain application server listening for administration requests.

       --secure 	       if true, uses SSL/TLS to communicate with the domain application server.

       --passwordfile	       file containing the domain application server password.

       --terse		       indicates that any output data must be very concise, typically avoiding human-friendly sentences and favoring well-
			       formatted data for consumption by a script. Default is false.

       --echo		       setting to true will echo the command line statement on the standard output. Default is false.

       --interactive	       if set to true (default), only the required password options are prompted.

       --poolname	       connector connection pool name.

       --principals	       a comma separated list of J2EE principals.

       --usergroups	       a comma separated list of J2EE usergroups.

       --mappedusername        the enterprise information system username.

       --mappedpassword        the enterprise information system password.

OPERANDS

       mapname		       name of the security map to be created.

       Example 1: Using create-connector-security-map

       It is assumed that the connector pool has already been created using the create-connector-pool command.

       asadmin> create-connector-security-map --user admin --password adminadmin
       poolname connector-pool1 --principals principal1,principal2
       --usergroups usergroup1,usergroup2 --mappedusername backend-username
       --mappedpassword backend-password securityMap1
       Command create-connector-security-map executed successfully

EXIT STATUS

       0		       command executed successfully

       1		       error in executing the command

       asadmin-delete-connector-security-map(1AS), asadmin-list-connector-security-maps(1), asadmin-update-connector-security-map(1AS)

J2EE 1.4 SDK							    March 2004				asadmin-create-connector-security-map(1AS)
All times are GMT -4. The time now is 01:48 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy