[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: grv2



hi tim,

   i am on sabbatical so i won't be around this week. the good news is
that IS is now supporting linux/unix and sasko has already been doing 
some of the system administration on our linux machines. sasko can get 
you in my lab. if you need help getting into the system, then call me
at 757-269-7454. grv2 is the lone sun machine in the small lab adjacent 
to our supercomputer.

jerry


> "St. Laurent, Tim" wrote:
> 
> Hey Jerry,
> 
> We had a report that grv2 was running an IRC server.  After looking into it I
> found that there were several ports open on that machine and it looked likes
> that machine has been compromised.  They are running SSH on port 16236 for
> example.   I've included, at the bottom, some of what I've found on that
> machine.  The short of is that I had to disable the network port for that
> computer.  I would like to come over tomorrow and take a look at it and see
> what we find.  How critical is that machine?  How long can you have that
> machine down?  Most likely you all will have to reinstall the OS.  I would
> also like to bring over a new person, Sasko Stefanovski, with me.  He is the
> new IS person who was hired to help faculty/staff with some of the burden of
> administrating their servers.
> 
> Thanks,
> 
> Tim
> 
> Network address: 141.166.222.216
> 
> Ethernet address: 080020aafd7c
> 
> Network location: SCI2A-3.15
> 
> Interesting ports on grv2.richmond.edu (141.166.222.216):
> 
> (The 65523 ports scanned but not shown below are in state: closed)
> 
> Port       State       Service
> 
> 22/tcp     open        ssh
> 
> 23/tcp     open        telnet
> 
> 111/tcp    open        sunrpc
> 
> 1726/tcp   open        unknown
> 
> 4546/tcp   open        unknown
> 
> 6000/tcp   open        X11
> 
> 16236/tcp  open        unknown
> 
> 23485/tcp  open        unknown
> 
> 32772/tcp  open        sometimes-rpc7
> 
> 32773/tcp  open        sometimes-rpc9
> 
> 32774/tcp  open        sometimes-rpc11
> 
> 32776/tcp  open        sometimes-rpc15
> 
> telnet 141.166.222.216
> 
> Trying 141.166.222.216...
> 
> Connected to 141.166.222.216.
> 
> Escape character is '^]'.
> 
> SunOS 5.7
> 
> ssh -p 4546 141.166.222.216
> 
> The authenticity of host '141.166.222.216 (141.166.222.216)' can't be
> established.
> 
> RSA1 key fingerprint is dc:cd:da:72:fe:6e:db:70:ff:11:e5:cc:b4:27:80:80.
> 
> Are you sure you want to continue connecting (yes/no)? no

-- 
Dr. Gerard P. Gilfoyle
Physics Department                e-mail: ggilfoyl@richmond.edu
University of Richmond, VA 23173  phone:  804-289-8255
USA                               fax:    804-289-8482