[TriLUG] possible intruder - advice?

Jon Carnes jonc at nc.rr.com
Mon May 24 10:51:30 EDT 2004


Port 1025 is used for Remote File Sharing, but it is also used by
certain trojans: Fraggle Rock, md5 Backdoor, NetSpy, Remote Storm.

I suggest that you either down your server remotely, or use IP Tables to
block all ports but the ones you know you need. 

I'm guessing that you've already done an NMAP scan of your system to see
if there are any other open ports.

Jon Carnes
 
On Mon, 2004-05-24 at 10:36, Marty Ferguson wrote:
> Google "port 1025"
> 
> TCP Port 1025. Common Use. Microsoft Remote Procedure Call (RPC)
> www.linklogger.com/TCP1025.htm
> 
> Are you running Samba?
> 
> M
> 
> -----Original Message-----
> From: trilug-bounces at trilug.org [mailto:trilug-bounces at trilug.org]On
> Behalf Of Andrew Perrin
> Sent: Monday, May 24, 2004 9:26 AM
> To: trilug at trilug.org
> Subject: [TriLUG] possible intruder - advice?
> 
> 
> I"m showing someone attached to my home machine's port 1025. This is,
> needless to say, not something I like.  fuser 1025/tcp and fuser 1025/udp
> show nothing. 1025 isn't listed in /etc/services. What else should I look
> at?
> 
> ap
> 
> ----------------------------------------------------------------------
> Andrew J Perrin - http://www.unc.edu/~aperrin
> Assistant Professor of Sociology, U of North Carolina, Chapel Hill
> clists at perrin.socsci.unc.edu * andrew_perrin (at) unc.edu
> 
> -- 
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> TriLUG PGP Keyring         : http://trilug.org/~chrish/trilug.asc




More information about the TriLUG mailing list