Hey Jerry,
We had a report that grv2 was running an IRC server. After looking into it I found that there were several ports open on that machine and it looked likes that machine has been compromised. They are running SSH on port 16236 for example. I've included, at the bottom, some of what I've found on that machine. The short of is that I had to disable the network port for that computer. I would like to come over tomorrow and take a look at it and see what we find. How critical is that machine? How long can you have that machine down? Most likely you all will have to reinstall the OS. I would also like to bring over a new person, Sasko Stefanovski, with me. He is the new IS person who was hired to help faculty/staff with some of the burden of administrating their servers.
Thanks,
Tim
Network address: 141.166.222.216
Ethernet address: 080020aafd7c
Network location: SCI2A-3.15
Interesting ports on grv2.richmond.edu (141.166.222.216):
(The 65523 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
23/tcp open telnet
111/tcp open sunrpc
1726/tcp open unknown
4546/tcp open unknown
6000/tcp open X11
16236/tcp open unknown
23485/tcp open unknown
32772/tcp open sometimes-rpc7
32773/tcp open sometimes-rpc9
32774/tcp open sometimes-rpc11
32776/tcp open sometimes-rpc15
telnet 141.166.222.216
Trying 141.166.222.216...
Connected to 141.166.222.216.
Escape character is '^]'.
SunOS 5.7
ssh -p 4546 141.166.222.216
The authenticity of host '141.166.222.216 (141.166.222.216)' can't be established.
RSA1 key fingerprint is dc:cd:da:72:fe:6e:db:70:ff:11:e5:cc:b4:27:80:80.
Are you sure you want to continue connecting (yes/no)? no