[Gllug] False positive report?

Chris Bell chrisbell at overview.demon.co.uk
Thu Jan 5 14:36:06 UTC 2006


On Thu 05 Jan, Tethys wrote:
> 
> 
> Alain Williams writes:
> 
> >> > So what's listening on port 600, then?
> >> 
> >>    I have been searching for the command to check just that.
> >
> >netstat -ap
> 
> Or to cut out the cruft, and just show you what's listening:
> 
> 	netstat -nutlp
> 
> Tet

   That seems to confirm rpc.statd udp.

   I think that a M$ box which was connected to the network was infected by
a keylogger that collected passwords, allowing access to the network from
behind the firewall. I pulled all the plugs, then loaded a backup box for
dumping mainly ISO images, which could be checked from their mdsums, from
individual boxes. It is the only box now connected reporting possible
infection, and all other boxes connected to it have been re-loaded from
scratch.
   The box can now be wiped and re-loaded again if neccessary, which would
not take long, but I found the suggestions of false reports which made me
re-consider.
   NFS has been installed, but not yet configured. There are several lines
corresponding to rpc.statd, but none appear suspicious to me without further
checking.

-- 
Chris Bell

-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list