When I got into the office this morning I found an odd message waiting for me. Where you would normally type your login(runlevel3) there was the following
lockd: connect from unpriveleged port xxx.xxx.37.206:12634
A quick check of my logs showed that tcpd had denied ftp and telnet requests from the same host. Obviously a scan.

So this message worries me. I looked around my filesystem but didn't see anything that looked like it had been changed.

Did the cracker get in? I'm running a modereately secured RH6.2. I've heard that there are some security problems with it. Maybe I missed one?

Thanks!

Have you downloaded the errata from Redhat's site?

Why are you running lockd? Do you need to be running NFS?

Have you installed a utility like tripwire? If so, now's the time to check the integrity of the system.

A clean re-install would be the only definite solution. It's really impossible to tell if someone broke into the system without more information.

------------------
- Klamath
Get my GnuPG Key Here (http://klamath.dyndns.org/mykey.asc)

Unless you have tripwire or a variant (I use wanderblock), there is really no way to tell if somebody got in. A good rootkit can screw EVERYTHING up to the point of making it look normal.

I don't need to be running NFS. How do you shut it down?


I've been looking in /etc/inetd.conf but a lot of the services aren't in there (r commands, nfs, portmap)


Do you know where they are & how to get rid of them?

Anyway, let's hear it for daily backups!


Thanks again!

[This message has been edited by CanadaMan (edited 13 October 2000).]

as root:
ps x
kill rpc.nfsd

go to your rc file and # the lines that turn on nfs at boot
do you need mountd? if not kill that too