jamescoleman
May 3rd, 2009, 04:15 PM
So I was in the basement working on the ssh problem I'm having until I used the finger command on my laptop to find out that someone was logged in from 115.127.0.13*
which finds out a website from bangladash for news. I see that they've been logged into for 4 hours. I later goto my desktop and login using putty to see that they're still in. I nmap my lo back interface to find this...
root@user-laptop:/# nmap 127.0.0.1
Starting Nmap 4.76 ( http://nmap.org ) at 2009-05-03 16:00 EDT
Interesting ports on localhost (127.0.0.1):
Not shown: 987 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
143/tcp open imap
465/tcp open smtps
587/tcp open submission
631/tcp open ipp
993/tcp open imaps
995/tcp open pop3s
2020/tcp open xinupageserver
5222/tcp open unknown
5900/tcp open vnc
I only had 22/80/5900 open to start with.
Then I run over to check the auth log file to find that the person from the same
ip address starts to use some program to find the correct user name and password.
Does anyone know what type of program does this and some possible names of it?
I checked out what port 2020 is and I found out that it's some rootkit.
Does anyone know what programs that I can use to scan for rootkits on my laptop?
I also guess a few groups got added which are arpwatch and citadel and
I guess the services aren't anything to worry about unless the person comes
back and uses them??
This is mostly myfault because I used an easy password along with an easy
user name. Plus I have port 22 open. If this happens again is there anyway to
close that persons connection to my computer? Also does anyone have any tips
on shutting down the ports but the ones I opened to start with?
which finds out a website from bangladash for news. I see that they've been logged into for 4 hours. I later goto my desktop and login using putty to see that they're still in. I nmap my lo back interface to find this...
root@user-laptop:/# nmap 127.0.0.1
Starting Nmap 4.76 ( http://nmap.org ) at 2009-05-03 16:00 EDT
Interesting ports on localhost (127.0.0.1):
Not shown: 987 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
80/tcp open http
110/tcp open pop3
143/tcp open imap
465/tcp open smtps
587/tcp open submission
631/tcp open ipp
993/tcp open imaps
995/tcp open pop3s
2020/tcp open xinupageserver
5222/tcp open unknown
5900/tcp open vnc
I only had 22/80/5900 open to start with.
Then I run over to check the auth log file to find that the person from the same
ip address starts to use some program to find the correct user name and password.
Does anyone know what type of program does this and some possible names of it?
I checked out what port 2020 is and I found out that it's some rootkit.
Does anyone know what programs that I can use to scan for rootkits on my laptop?
I also guess a few groups got added which are arpwatch and citadel and
I guess the services aren't anything to worry about unless the person comes
back and uses them??
This is mostly myfault because I used an easy password along with an easy
user name. Plus I have port 22 open. If this happens again is there anyway to
close that persons connection to my computer? Also does anyone have any tips
on shutting down the ports but the ones I opened to start with?