"nate" <[EMAIL PROTECTED]> wrote: |> looks like you might of been hit with a lprng exploit .. >> |> |> http://www.securityfocus.com/archive/1/85002 |> |> hope your lprng is updated!
Rick Pasotto <[EMAIL PROTECTED]> wrote: |> I've occasionally been getting something similar. I think I've |> traced mine to the printer -- even though (or maybe because) it's |> turned off. Thank you both very much. Lprng certainly seems to be the culprit. I have the version from `testing' (3.8.0). nmap shows: Starting nmap V. 2.54BETA30 ( www.insecure.org/nmap/ ) Interesting ports on MY-REAL-IP (The 65527 ports scanned but not shown below are in state: closed) Port State Service 9/tcp open discard 13/tcp open daytime 22/tcp open ssh 25/tcp open smtp 37/tcp open time 487/tcp open saft 515/tcp open printer 5865/tcp open unknown Port 5865 is where junkbuster normally runs, I think, so I don't see anything very suspicious here. I had telnet turned on temporarily (to allow access for someone who does not have ssh), so maybe someone got access through the printer port via telnet. I've turned telnet off again. If anyone has any further advice, I'd be really grateful, Jim
