hi ya > > Nov 21 03:29:36 lan1 -- MARK -- > > Nov 21 03:32:08 lan1 SERVER[2757]: Dispatch_input: bad request line > > > 'BBÜóÿ¿Ýóÿ¿Þóÿ¿ßóÿ¿XXXXXXXXXXXXXXXXXX%.156u%300$n%.21u%301$nsecurity%302$n%. > 192u
they tried.... doesn't mean they got in > > I searched the system for fragments of the Ramen worm after reboot but I > > found nothing suspicious. how did you check ??? http://www.ists.dartmouth.edu/IRIA/knowledge_base/tools/ramenfind.htm - lots of tools to check for stuff to check for other root kits they may have used/hidden/left behind... http://www.chkrootkit.org - many other tools ( search for rootkit, trojans, etc.. ) if you re-install without digging deeper...you wont learn anything new ?? if you do dig deeper..maybe you'd find lots of suspicious files??? re-install assumes oyu patch it up to current levels, and that your backup data does NOT have any trojans Debian Security howto http://www.debian.org/doc/manuals/securing-debian-howto/ c ya alvin http://www.Linux-Sec.net .. rest of the hardening howto .. > > The attack seemed to come over nmbd, although all ports, exept inetd are > > blocked to the > > outside > > vi ipchains. I had a number of rejected packets to port 137 immediately > > before, > > nmbd crashed > > and > > the lprng exploit started. > > So there are some questions, I would like to pose : > > Is Woody's lprng still vulnerable ? I've got the latest version. > > Is the shown exploit a sign that someone already was in there, or just for > > an > > attempt > > ? > > Can I find possible backdoors, or will I have to re-install ? > >
