PHWinfo - Afficher un message - Urgent!!! My computer seems to be hacked, pls HELP!!!

13/09/2006, 17h25

"Jenny" <ahajenny@gmail.com> writes:
> Dear groups,
>
> My computer was told that it sent unusual packets from port 60609 to
> some computer with IP 61.50.138.237 port 22. (more than 20 flows per
> second!!!)
>
> I am running Fedora Core 5 plus "OpenSSH_4.3p2, OpenSSL 0.9.8a 11 Oct
> 2005", I use netstat to check services I open, only mysql, samba,
> vsftp, ssh, http.
>
> I check /var/log, message and security. I can't find any successful
> logging from others. But I do find many many attacks from 61.50.138.*
> (not including the one 61.50.138.237 which my computer attacked!!!),
> and none of them successes.
>
> I have some questions to ask all of you, please me!!!
>
> 1. is my computer hacked? if no, then why my computer sends packets
> from port 60609 to some computer port 22 ?

If neither you nor any authorized user to your knowledge is using the
machine then this ssh connection to an IP in china is very likely a
compromise.

> 2. if my computer is hacked, then what can I do? reinstalling the
> system is the only way???

Yup. It's the only way to get back to a known state. Wiping and
reinstalling from original media.

--
Todd H.
http://www.toddh.net/

13/09/2006, 17h25	#2
Todd H. Messages: n/a Hébergeur:	Re: Urgent!!! My computer seems to be hacked, pls !!! "Jenny" <ahajenny@gmail.com> writes: > Dear groups, > > My computer was told that it sent unusual packets from port 60609 to > some computer with IP 61.50.138.237 port 22. (more than 20 flows per > second!!!) > > I am running Fedora Core 5 plus "OpenSSH_4.3p2, OpenSSL 0.9.8a 11 Oct > 2005", I use netstat to check services I open, only mysql, samba, > vsftp, ssh, http. > > I check /var/log, message and security. I can't find any successful > logging from others. But I do find many many attacks from 61.50.138.* > (not including the one 61.50.138.237 which my computer attacked!!!), > and none of them successes. > > I have some questions to ask all of you, please me!!! > > 1. is my computer hacked? if no, then why my computer sends packets > from port 60609 to some computer port 22 ? If neither you nor any authorized user to your knowledge is using the machine then this ssh connection to an IP in china is very likely a compromise. > 2. if my computer is hacked, then what can I do? reinstalling the > system is the only way??? Yup. It's the only way to get back to a known state. Wiping and reinstalling from original media. -- Todd H. http://www.toddh.net/