Just yesterday, my cable ISP shut me off (I'm on dial up now, ug!) because my IP has "been port scanning" and someone logged a complaint. *I* certainly am not doing this, so after turning on logging on my router, I see that my linux box is sending something every 1 minute 2 seconds. Example:
Date Time Src Src_Port Dest Dest_Port
07/23/2002 20:00:50 192.168.1.2 1034 207.110.0.52 6660
07/23/2002 20:01:52 192.168.1.2 1035 204.127.145.17 6660
07/23/2002 20:02:54 192.168.1.2 1036 154.11.89.164 6660
07/23/2002 20:03:56 192.168.1.2 1037 199.60.228.129 6660
07/23/2002 20:04:58 192.168.1.2 1038 205.188.149.3 6660
and so on
Up until yesterday, my HP pavilion machine has been happily running for 6 months, running the default redhat 7.0 install, with everything installed. I keep it up almost all the time because it's running a webserver.
When I try to log in to the console now, I get this error message:
Unable to load interpreter /lib/lb-linux.so.2
when I control-alt-del to reboot, most stuff shuts down [OK] except it seems that somethings aren't.
http and keytable didn't one time, eth0 another... etc?
This is redhat 7.0, kernel 2.2.16-22smp. Any ideas of
a) how to get back into my machine (console and telnet are both ignored)
b) figure out what happened
c) did someone hack my machine?
d) how to stop the port scanning originating from my machine
e) how to lock it down so I won't be hacked again.
f) if I have to rebuild, how can I without losing all the data on the drive
I'm not an expert. This isn't a commerical website, just running it for a friend's band.
Any ideas would be very helpful.
Bob
