[sf-lug] interlopers continued

Michael Paoli Michael.Paoli at cal.berkeley.edu
Sat Jul 21 08:12:50 PDT 2007


If the host is root comromised, running nmap from that host may not
provide useful/accurate information (even if freshly installed, as
kernel and/or libraries may be compromised).

Note also that many attackers quickly secure systems from further exploit
once they've broken into them - this is common with botnets, as they
don't want some other attacker taking over the system that they just
compromised ... so ... checking what vunerabilities remain may not be
useful in determining the initial attack vector.

Quoting Asheesh Laroia <asheesh at asheesh.org>:

> On Thu, 19 Jul 2007, Alex Kleider wrote:
> 
> > I agree that the above seems a reasonable assumption but in fact before
> > these connections got established, I'd never heard of IRC and had not
> > been surfing the web at all. I've been using this machine pretty much
> > solely to learn about networking and GNU/Linux in general. And all this
> > from the command line.
> 
> So you were probably broken into by some random loser attacking every 
> machine on the Internet.  You're probably not a real target; instead, the 
> guy just wants computers for his bot network as Rick described.
> 
> Sorry you got attacked!  Let's see if we can avoid that in the future. 
> Can you tell me the distribution and release number that you have 
> installed, and what services you are running?
> 
> If you don't know what services you run, an easy way to find out is to do 
> "nmap localhost" (you may need to install the nmap package from your 
> distribution).
> 
> I think we can get to the bottom of this.  I'll also try to start coming 
> to meetings again, and we can talk more then.




More information about the sf-lug mailing list