OS and Software > All Things Unix > Remove X Window Server

Remove X Window Server

What distro is it?

I'm not sure. How can I find out. I found out by using Look at LAN and scanning the active services. All it says is port 6002 Service X11:2 Description X Windows Server. This is on a Windows XP box and 2003 server.

You used a windows box to scan or X is running on a Windows box? If that latter, why are you asking in a Unix forum?

reply to maxflia
How do you know that it's been hacked? And it just shows something running on port 6002. Traditionally X Windows does listen on 6000+display_number but it's not necessarily (and in fact, unlikely) that it's an X windows server running on your Windows box, but rather some other service happening to listen on port 6002.
--
UbuntuForums Administrator: try Ubuntu Linux

reply to maxflia
1) unplug network cable - if you need it to access the box, at least unplug from internet after the switch/router

2) as root, ps lax and top - look for pscan and/or vnc processes, kill them

3) look in /tmp for the usual drop in exploits via unpatched php-based web suites (twiki and others) or any other exploit that the script kiddies love

4) reboot, see if pscan starts right up with the vnc junk, if so backup userdata, nuke system from space, rebuild (assume compromised system - safest approach)

5) if not, probably can get by with local cleanup, find attack vector and fix, etc...

What's with all the unregistered posters lately? Can Steve Ballmer really have that much free time?
--
My place : »www.schettino.us

reply to jdong
The bandwidth usage from the two computers has been very high. (100Mb an hour sometimes) I'm posting here because from what I can tell X Server is a Linux program. Does anyone know how I can verify the X Server is or is not running on my two machines?

Are the machines running windows? If so it probably isn't an X server. Your best bet would be to open the task manager and see what was running.

Also... the X Server is a a window server, not relegated just to linux... you can get X servers for windows, but they also come with almost all unix variants.

reply to maxflia
I agree with jdong , that you probably do not have an X windows server. Rather, the software causing you problems is using port 6002 because that is unlikely to conflict with anything else.

Incidently, I do have an X server on one of my XP boxes, mostly for testing. It is unlikely that a cracker would install this. Normal reason for installing is to allow you to run X windows applications on a nearby unix box, and display their output on your Windows box.

You need to find out which software is using port 6002. I think there are commands to do that, but maybe you need to install something first.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 2.0.0.5

reply to maxflia
Do an NMAP service scan, check active processes, install a software firewall with outbound proection that can identify what process is communicating.

I'm MORE than willing to put money on it's some P2P app using port 6002
--
UbuntuForums Administrator: try Ubuntu Linux

reply to maxflia
I bet it is some P2P software as well. What ever he used to find it is probably making an assumption that it is an X server because it is running on port 6002.

Im stumbling through NMAP right now. Its not showing 6002 but it is showing 6004 ncacn_http Microsoft Windows RPC over HTTP. I recently have taken over this network and I am trying to clean it up. Thanks for the help.

reply to maxflia
At this point, I think you should go for the Security forum -- this does not at all appear to be a X-windows/UNIX related issue, and you'd get more expertise over at the correct forum.
--
UbuntuForums Administrator: try Ubuntu Linux

reply to maxflia