OS: Linux Red Hat 9.0 release unknown
Hardware: 333mhz P2, 256 Ram, 40GB HD
Use: Horde webmail
Installed: Apache 1.3, PHP 4.x, MySQL 3.x, Horde, IMP, Webmin, Samba


I recently put up a machine to run as a webmail server for the domains at my location. After having it up for about 2 weeks Qwest called us saying that it was scanning ports on computers on the net and that we need to do something about it. We have since taken it offline and installed all the latest security updates and updated the kernal. The version it was running was Linux Red Hat 9.0 that was released back in October 2003.

??? is what can we do to make sure that the issue has been fixed?

??? how can we find out what it was doing exactly?

??? is there a way to monitor it so if it does it again we will notice before being called by our ISP?

Thanks

Check to see what services you having running.

ps ax

You might have some sort of port scanner running such as nmap.

See if Redhat has a list of software and descriptions and then search through that for 'scan' or 'port'. If you find one, check to see if it's installed and running.

Think so. What should be my next coarse of action ?


PID TTY STAT TIME COMMAND
1 ? S 0:21 init
2 ? SW 0:00 [migration/0]
3 ? SW 0:00 [migration/1]
4 ? SW 0:00 [keventd]
5 ? SWN 0:00 [ksoftirqd_CPU0]
6 ? SWN 0:00 [ksoftirqd_CPU1]
11 ? SW 0:00 [bdflush]
7 ? SW 0:21 [kswapd]
8 ? SW 0:03 [kscand/DMA]
9 ? SW 47:03 [kscand/Normal]
10 ? SW 0:00 [kscand/HighMem]
12 ? SW 0:06 [kupdated]
13 ? SW 0:00 [mdrecoveryd]
19 ? SW 0:00 [scsi_eh_0]
22 ? SW 0:09 [kjournald]
80 ? SW 0:00 [khubd]
655 ? SW 0:00 [kjournald]
656 ? SW 0:00 [kjournald]
657 ? SW 0:06 [kjournald]
950 ? S 0:05 syslogd -m 0
954 ? S 0:00 klogd -x
972 ? S 0:00 [portmap]
991 ? S 0:00 [rpc.statd]
1141 ? S 0:00 gpm -t ps/2 -m /dev/mouse
1150 ? S 0:05 crond
1219 ? S 0:00 [xfs]
1237 ? S 0:01 [atd]
1249 ? S 0:50 /usr/bin/perl /etc/webmin-1.121/miniserv.pl /etc/webmin/miniserv.conf
1252 ? S 0:00 login -- root
1253 ? S 0:00 login -- root
1254 tty3 S 0:00 /sbin/mingetty tty3
1255 tty4 S 0:00 /sbin/mingetty tty4
1256 tty5 S 0:00 /sbin/mingetty tty5
1257 tty6 S 0:00 /sbin/mingetty tty6
1258 tty1 S 0:01 -bash
3266 ? S 0:14 [named]
4015 ? S 0:38 /usr/sbin/httpd
24623 ? S 0:02 linux -f /usr/lib/linux_cfg
25045 ? S 0:09 crond
24934 tty1 S 0:00 su root
24935 tty1 S 38:22 bash
25101 tty1 T 0:00 man nmap
25102 tty1 T 0:00 sh -c (cd /usr/local/man && (echo ".pl 1100i"; /bin/cat '/usr/local/man/man1/nmap.1'; echo; echo ".pl \n(nlu+10") | /usr/bin/gtbl | /usr/bin/nroff -c -mandoc | /usr/bin/less -isr)
25107 tty1 T 0:00 /bin/sh /usr/bin/nroff -c -mandoc
25108 tty1 T 0:00 /usr/bin/less -isr
25111 tty1 T 0:00 groff -mtty-char -Tutf8 -P-c -mandoc
25113 tty1 T 0:00 grotty -c
25116 tty1 T 0:00 nmap -sV 65.114.204.178
25121 tty1 T 0:00 man nmap
25122 tty1 T 0:00 sh -c (cd /usr/local/man && (echo ".pl 1100i"; /bin/cat '/usr/local/man/man1/nmap.1'; echo; echo ".pl \n(nlu+10") | /usr/bin/gtbl | /usr/bin/nroff -c -mandoc | /usr/bin/less -isr)
25127 tty1 T 0:00 /bin/sh /usr/bin/nroff -c -mandoc
25130 tty1 T 0:00 /usr/bin/less -isr
25131 tty1 T 0:00 groff -mtty-char -Tutf8 -P-c -mandoc
25133 tty1 T 0:00 grotty -c
27185 tty1 S 0:00 bash
27242 tty1 T 0:00 man fam
27245 tty1 T 0:00 sh -c (cd /usr/share/man && (echo ".pl 1100i"; /usr/bin/gunzip -c '/usr/share/man/man1/fam.1m.gz'; echo; echo ".pl \n(nlu+10") | /usr/bin/gtbl | /usr/bin/nroff -c -mandoc | /usr/bin/less -isr)
27249 tty1 T 0:00 /bin/sh /usr/bin/nroff -c -mandoc
27253 tty1 T 0:00 /usr/bin/less -isr
27254 tty1 T 0:00 groff -mtty-char -Tutf8 -P-c -mandoc
27256 tty1 T 0:00 grotty -c
27301 tty1 T 0:00 man fam
27304 tty1 T 0:00 sh -c (cd /usr/share/man && (echo ".pl 1100i"; /usr/bin/gunzip -c '/usr/share/man/man1/fam.1m.gz'; echo; echo ".pl \n(nlu+10") | /usr/bin/gtbl | /usr/bin/nroff -c -mandoc | /usr/bin/less -isr)
27312 tty1 T 0:00 /usr/bin/less -isr
27319 tty1 T 0:00 fam -L
27399 tty1 T 0:00 man update
27402 tty1 T 0:00 sh -c (cd /usr/share/man && (echo ".pl 1100i"; /usr/bin/gunzip -c /usr/share/man/man7/update.7.gz'; echo; echo ".pl \n(nlu+10") | /usr/bin/gtbl | /usr/bin/nroff -c -mandoc | /usr/bin/less -isr)
27409 tty1 T 0:00 /usr/bin/less -isr
27465 tty2 S 0:00 -bash
28095 ? S 0:04 cupsd
28176 ? S 0:00 /usr/sbin/sshd
28217 ? S 0:03 smbd -D
28221 ? S 0:12 nmbd -D
28288 ? S 0:00 rhnsd --interval 240
28307 ? S 0:00 xinetd -stayalive -pidfile /var/run/xinetd.pid

Kill the process so it no longer runs. In your screenshot it is PID 25116.

So if I kill this it won't start up again till I restart the machine? Was this program already running or did someone start it remotly?

Originally posted by melban
Was this program already running or did someone start it remotly?

Hard to tell.

Have a look through your service startup script directory for the runlevel you are using to see if there is a script to start nmap.