[TriLUG] My server hacked
Hariharan Gopalan
hari at sapta.com
Thu Sep 25 15:24:49 EDT 2003
Looks like my server has been hacked, wonder if someone could please help
me find out what's been compromised.
Today when I ran the "iptables -t nat -L" on my server I found this entry:
DNAT tcp -- 203.196.193.102 anywhere tcp dpt:smtp myserverip:42424
DNAT tcp -- 203.115.97.35 anywhere tcp dpt:smtp myserverip:42424
I promptly removed these two rules from the chain.
Am not sure how this could have gotten here.
then I used visualroute to trace where this IP was and this is coming
somewhere from India.
Looks like someone has been using my server as a mail server, but I can
not find any daemon running at 42424 port.
Any ideas how I can dig into this?
Any help would be very welcome.
thanks a bunch
Hari
More information about the TriLUG
mailing list