On Mon, Mar 04, 2002 at 04:47:53PM -0600, Mike Hicks wrote: > "Raymond Norton" <admin at support.lctn.k12.mn.us> wrote: > > > > I am getting notices that a RedHAT server of mine is probing other > > networks. I need some advice on how to prevent this and find out what is > > occurring.The message info I received is below. I have since made sure the > > firewall is running and unnecessary ports including ftp are off. Any help > > to get on top of this would be greatly appreciated. I am fairly new, so > > please be specific. > > Umm.. Cut power to your machine. Boot up with tomsrtbt or a bootable > business card. Use `dd' and `nc' (netcat) or ssh to copy the contents of > your hard drive partitions to another system. Reinstall your system while > it is disconnected from the network or at least behind a firewall. Run > up2date or whatever other utility you like to patch your system to > whatever is current. Copy important data from the disk images back onto > your server, and then you'll be ready to have your computer on the network > again.. I agree with Mike that it appears someone or something has broken in to your system and has been using it to scan other networks. For forensic purposes, you may want to capture an image of the system in its present state. Once you have this image, you can safely reinstall your operating system and ressurect your system without being worried about destroying evidence. Later, you can make copies of the image and perform forensic analysis on them. The Coroner's Toolkit (TCT) is supposed to be a good set of tools for forensic analysis: http://www.porcupine.org/forensics/tct.html The above web site also offers some advice for people whose systems have been cracked. The lnx-bbc bootable business card includes some tools from TCT: http://www.lnx-bbc.org/ PLAC is another bootable CD image that contains TCT: http://sourceforge.net/projects/plac/ Joel