[Dshield] Proof of hacker. What do I do?

Dominique Fiori dominiquefiori at numericable.fr
Fri Sep 6 15:21:41 GMT 2002


Look words fail me , I would like to give you and the other persons who gave 
me answers on my trivial query....A BIG THANK YOU.

In order to be less silly I am registering @ the only Red Hat certification in 
Paris and read lods of books.
So far I haven't reinstalled my windows and thanks to people like you my 
understanding of Liinux is much better ( that means that I can work with it 
it has not been the case for a long time).

a special hello to Linda ( thx for your E mail).

If I can be of any help @ my wee level just ask.

And remember if anyone is interested on holiday in Paris , just send a wee E 
mail. we do flat exchange or just stay with us. paris'not to bad the only 
problem is that the French seem not to know about the Internetn ( actually 
this is BIG)

warmest regards

Dominique 

(as usal please do not consider my pidgeon English please.. most of my time 
nowadays is spent on learning an other universal langauge ; Linux...)

PS : I cannot find an inderstandable www.com site on linux Firewalls ( I am 
purely tired of reading pages on reiser fs journals with scary figures. I can 
get aroud but scared to miss something..it is hard to believe that the guy 
who has been torturing me is jsut gone..) would you know a web site =helping 
me getting a good firewall 4 Linux ??













On Tuesday 03 September 2002 18:36, Patrick Andry wrote:
> Here's my best shot at this:
>
> 1) Use netstat -natu instead of netstat -a to view listening/connected
> ports example of output
> tcp        0      0 0.0.0.0:23              0.0.0.0:*               LISTEN
> tcp        0      0 0.0.0.0:25              0.0.0.0:*               LISTEN
> tcp        0      0 0.0.0.0:7741            0.0.0.0:*               LISTEN
> tcp        0      0 192.0.0.108:4168        192.0.0.1:143
> ESTABLISHED
> tcp        0      0 192.0.0.108:139         192.0.0.5:1082
> ESTABLISHED
> tcp      780      0 192.0.0.108:4697        192.0.0.1:139
> ESTABLISHED
>
> adding p to the flags will list programs, v will be verbose.  In this
> example, I am listening on ports 23, 25 and 7741 (on all interfaces),
>  and I have connections to two samba shares,  and my IMAP server.
>
> 2)  To cut and paste, it is usually done by highlighting text with the
> mouse, then using the 3rd mouse button to paste the highlighted text.
>  Sometimes this works, sometimes you need to ctrl-c and ctrl-v to paste,
> it really depends on the applications.
>
> 3) Learn firewalling rules,  and make sure your system is patched to the
> latest!  Many linux installs will enable many services by default, and
> may not be up-to-date.  The latest Apache and SSH vulns are deadly to a
> system on the net.
>
> And my last point, get used to hearing RTFM, but don't let that deter
> you from asking questions
>
> >Hi All,
> >
> >I am uner a Hacker Attack which has forced me to move from Adv Serv to
> >Linux. (I just ask myself if that attack was a bad thing after all).
> >
> >Well I had my fair share of pain but I am getting there...could any of
> >you could explain to me how :(please)
> >
> >1/ interprete netstat -a on LINUX
> >
> >2/ copy and paste the terminal (Gnome terminal) in order to transfer
> >the log onto a editor such as gedit or Vi please.
> >
> >3/ Any tips welcome.
> >
> >A great thanks to all of you for your knowleedge dedication and
> >...humour.
> >
> >Dominique from Froggy land.
> >
> >
> >
> >dominiquefiori at numericable.fr <mailto:dominiquefiori at numericable.fr>
> >
> >
> >(this mail is built under free license without the consent of the
> >Redmon Faxctory)
> >
> >>>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<
> >
> >On 8/27/02, 11:46:42 AM, "dominiquefiori"
> ><dominiquefiori at numericable.fr> wrote regarding RE: [Dshield] Proof of
> >
> >hacker. What do I do?:
> >> What is this please ? a news list ? If yes, well we ahd the seme
> >
> >problem :
> >> à) When the attack occurs please stop your internet connection
> >>
> >> 1) run a anti virus , anti trojan soft.( use 2 at list as  anti virus
> >
> >are
> >
> >> not 100 % proof)
> >>
> >> 2) Try to determine what port was open /established
> >>
> >> 3) TCP view looks good but an good old netstat -a (-n to get just IP
> >> addresses).
> >>
> >> The philosophy is as follow : get rid of what has established the
> >> connection,
> >>
> >> ask yourself :
> >> - files shares with to many authorisations on my system ?
> >> - no antivirus ?
> >> - passwords writen somewhere
> >> - internal mystake or vengeance ( reviewx accounts)
> >> - did I configure windows right, if I ma using Linuwx am I starting
> >
> >to many
> >
> >> services.
> >>
> >>
> >> You understood me I guess analyse how and why the connection was
> >
> >accepted.
> >
> >> On the other hand if it is on port 80 you might only be surfing.
> >>
> >> Warmest regards
> >>
> >> dominique "apologuies for my poor english as I am French" Fiori
> >>
> >> Tel 00 33 6 73 87 32 62
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >> -----Original Message-----
> >> From: list-admin at dshield.org [mailto:list-admin at dshield.org]On
> >> <mailto:list-admin at dshield.org%5DOn> Behalf
> >
> >Of
> >
> >> Linda
> >> Sent: lundi 26 août 2002 17:00
> >> To: list at dshield.org
> >> Subject: [Dshield] Proof of hacker. What do I do?
> >>
> >>
> >> TCP d2f2t6:nbsession d2f2t6:0 LISTENING
> >>  TCP d2f2t6:2068 d2f2t6:0 LISTENING
> >> TCP d2f2t6:2070 d2f2t6:0 LISTENING
> >> TCP d2f2t6:2073 d2f2t6:0 LISTENING
> >> TCP d2f2t6:2074 d2f2t6:0 LISTENING
> >> TCP d2f2t6:2068 unknown.level3.net:80 ESTABLISHED
> >> TCP d2f2t6:2070 unknown.level3.net:80 ESTABLISHED
> >> TCP d2f2t6:2073 unknown.level3.net:80 ESTABLISHED
> >> TCP d2f2t6:2074 unknown.level3.net:80 ESTABLISHED
> >> UDP d2f2t6:nbname *:*
> >> UDP d2f2t6:nbdatagram *:*
> >> UDP d2f2t6:1978 *:*
> >> What I did was install TCPVIEW. THen I went into netstat. What I
> >
> >think is
> >
> >> being stopped at my firewall is not being stopped. They are into dos.
> >> Here is my event log that corresponds with this.
> >> 2002/08/24 20:50:05 63.210.68.215:80 (unknown.Level3.net)
> >
> >66.44.192.178:1074
> >
> >> Port 1074 (TCP)
> >> 2002/08/24 20:35:48 63.210.68.215:80 (unknown.Level3.net)
> >
> >66.44.192.178:1075
> >
> >> Port 1075 (TCP)
> >>
> >> I didn't get it all copies over because there are 8 entries on the
> >
> >firewall
> >
> >> in a row.
> >>
> >> There are also large files showing up that I don't know what they
> >
> >are.
> >
> >> Help!
> >>
> >> _______________________________________________
> >> Dshield mailing list
> >> Dshield at dshield.org
> >> To change your subscription options (or unsubscribe), see:
> >> http://www.dshield.org/mailman/listinfo/list
> >>
> >>
> >>
> >> _______________________________________________
> >> Dshield mailing list
> >> Dshield at dshield.org
> >> To change your subscription options (or unsubscribe), see:
> >
> >http://www.dshield.org/mailman/listinfo/list
>
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www.dshield.org/mailman/listinfo/list

-- 
Dominique Fiori-Wall
Net Data Dublin Ltd 2002
Paris Liaison office 
Tel : 00 33 (6) 73 87 32 62 
Dublin headquarter
00353 (0) 866 39 65 407

E mails :   dominiquefiori at numericable.fr
	   netdata2002 at numericable.fr
	   dominiquefiori at netscape.net
Wap mail : 0673873262 at orange.fr






More information about the list mailing list