Security Basics mailing list archives
Re: Server Compromised ?
From: xyberpix <xyberpix () xyberpix com>
Date: Sun, 29 Jan 2006 13:41:53 +0000
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1What I'd suggest on this one is running a sniffer for a little while on against all traffic to the server in question, and see what sort of data is coming in/going out. You may be able to gleam some more information from that.
Mail me off list if you'd like. xyberpix Blog: http://blogs.securiteam.com On 26 Jan 2006, at 18:08, Daniel Gil wrote:
Iam a bit confused. I have got two servers (let's say server A 123.123.123.123 & server B 123.123.123.124) behind my ISP firewall. Both are W2k, and if I run 'netstat -an' I get similar results: Server A Proto Direccin local Direccin remota Estado TCP 0.0.0.0:25 0.0.0.0:0 LISTENING TCP 0.0.0.0:80 0.0.0.0:0 LISTENING TCP 0.0.0.0:110 0.0.0.0:0 LISTENING TCP 0.0.0.0:554 0.0.0.0:0 LISTENING TCP 0.0.0.0:1044 0.0.0.0:0 LISTENING TCP 0.0.0.0:1057 0.0.0.0:0 LISTENING TCP 0.0.0.0:1058 0.0.0.0:0 LISTENING TCP 0.0.0.0:1059 0.0.0.0:0 LISTENING TCP 0.0.0.0:1061 0.0.0.0:0 LISTENING TCP 0.0.0.0:1063 0.0.0.0:0 LISTENING TCP 0.0.0.0:1065 0.0.0.0:0 LISTENING TCP 0.0.0.0:1068 0.0.0.0:0 LISTENING TCP 0.0.0.0:1080 0.0.0.0:0 LISTENING TCP 0.0.0.0:1082 0.0.0.0:0 LISTENING TCP 0.0.0.0:1085 0.0.0.0:0 LISTENING TCP 0.0.0.0:1097 0.0.0.0:0 LISTENING TCP 0.0.0.0:1098 0.0.0.0:0 LISTENING TCP 0.0.0.0:1102 0.0.0.0:0 LISTENING TCP 0.0.0.0:1144 0.0.0.0:0 LISTENING TCP 0.0.0.0:1148 0.0.0.0:0 LISTENING TCP 0.0.0.0:1149 0.0.0.0:0 LISTENING TCP 0.0.0.0:1150 0.0.0.0:0 LISTENING TCP 0.0.0.0:1162 0.0.0.0:0 LISTENING TCP 0.0.0.0:1171 0.0.0.0:0 LISTENING TCP 0.0.0.0:1172 0.0.0.0:0 LISTENING TCP 0.0.0.0:1177 0.0.0.0:0 LISTENING TCP 0.0.0.0:1178 0.0.0.0:0 LISTENING TCP 0.0.0.0:1179 0.0.0.0:0 LISTENING TCP 0.0.0.0:1186 0.0.0.0:0 LISTENING TCP 0.0.0.0:1187 0.0.0.0:0 LISTENING TCP 0.0.0.0:1352 0.0.0.0:0 LISTENING TCP 0.0.0.0:1503 0.0.0.0:0 LISTENING TCP 0.0.0.0:2751 0.0.0.0:0 LISTENING TCP 0.0.0.0:3584 0.0.0.0:0 LISTENING TCP 0.0.0.0:3587 0.0.0.0:0 LISTENING TCP 0.0.0.0:3591 0.0.0.0:0 LISTENING TCP 0.0.0.0:3601 0.0.0.0:0 LISTENING TCP 0.0.0.0:3604 0.0.0.0:0 LISTENING TCP 0.0.0.0:3607 0.0.0.0:0 LISTENING TCP 0.0.0.0:3612 0.0.0.0:0 LISTENING TCP 0.0.0.0:3615 0.0.0.0:0 LISTENING TCP 0.0.0.0:3619 0.0.0.0:0 LISTENING TCP 0.0.0.0:3622 0.0.0.0:0 LISTENING TCP 0.0.0.0:3627 0.0.0.0:0 LISTENING TCP 0.0.0.0:3630 0.0.0.0:0 LISTENING TCP 0.0.0.0:3635 0.0.0.0:0 LISTENING TCP 0.0.0.0:3638 0.0.0.0:0 LISTENING TCP 0.0.0.0:3645 0.0.0.0:0 LISTENING TCP 0.0.0.0:3648 0.0.0.0:0 LISTENING TCP 0.0.0.0:3649 0.0.0.0:0 LISTENING TCP 0.0.0.0:8081 0.0.0.0:0 LISTENING TCP 0.0.0.0:9093 0.0.0.0:0 LISTENING TCP 0.0.0.0:63148 0.0.0.0:0 LISTENING TCP 127.0.0.1:1057 127.0.0.1:9092 ESTABLISHED TCP 127.0.0.1:1058 127.0.0.1:9092 ESTABLISHED TCP 127.0.0.1:1059 127.0.0.1:9092 ESTABLISHED TCP 127.0.0.1:1061 127.0.0.1:9092 ESTABLISHED TCP 127.0.0.1:1063 127.0.0.1:9092 ESTABLISHED TCP 127.0.0.1:1065 127.0.0.1:9092 ESTABLISHED TCP 127.0.0.1:1068 127.0.0.1:9092 ESTABLISHED TCP 127.0.0.1:1080 127.0.0.1:9092 ESTABLISHED TCP 127.0.0.1:1082 127.0.0.1:9092 ESTABLISHED TCP 127.0.0.1:1085 127.0.0.1:9092 ESTABLISHED TCP 127.0.0.1:1097 127.0.0.1:9092 ESTABLISHED TCP 127.0.0.1:1102 127.0.0.1:9092 ESTABLISHED TCP 127.0.0.1:1144 127.0.0.1:9092 ESTABLISHED TCP 127.0.0.1:1148 127.0.0.1:9092 ESTABLISHED TCP 127.0.0.1:1149 127.0.0.1:9092 ESTABLISHED TCP 127.0.0.1:1162 127.0.0.1:9092 ESTABLISHED TCP 127.0.0.1:1177 127.0.0.1:9092 ESTABLISHED TCP 127.0.0.1:1178 127.0.0.1:9092 ESTABLISHED TCP 127.0.0.1:1179 127.0.0.1:9092 ESTABLISHED TCP 127.0.0.1:1186 127.0.0.1:1187 ESTABLISHED TCP 127.0.0.1:1187 127.0.0.1:1186 ESTABLISHED TCP 127.0.0.1:9092 0.0.0.0:0 LISTENING TCP 127.0.0.1:9092 127.0.0.1:1057 ESTABLISHED TCP 127.0.0.1:9092 127.0.0.1:1058 ESTABLISHED TCP 127.0.0.1:9092 127.0.0.1:1059 ESTABLISHED TCP 127.0.0.1:9092 127.0.0.1:1061 ESTABLISHED TCP 127.0.0.1:9092 127.0.0.1:1063 ESTABLISHED TCP 127.0.0.1:9092 127.0.0.1:1065 ESTABLISHED TCP 127.0.0.1:9092 127.0.0.1:1068 ESTABLISHED TCP 127.0.0.1:9092 127.0.0.1:1080 ESTABLISHED TCP 127.0.0.1:9092 127.0.0.1:1082 ESTABLISHED TCP 127.0.0.1:9092 127.0.0.1:1085 ESTABLISHED TCP 127.0.0.1:9092 127.0.0.1:1097 ESTABLISHED TCP 127.0.0.1:9092 127.0.0.1:1102 ESTABLISHED TCP 127.0.0.1:9092 127.0.0.1:1144 ESTABLISHED TCP 127.0.0.1:9092 127.0.0.1:1148 ESTABLISHED TCP 127.0.0.1:9092 127.0.0.1:1149 ESTABLISHED TCP 127.0.0.1:9092 127.0.0.1:1162 ESTABLISHED TCP 127.0.0.1:9092 127.0.0.1:1177 ESTABLISHED TCP 127.0.0.1:9092 127.0.0.1:1178 ESTABLISHED TCP 127.0.0.1:9092 127.0.0.1:1179 ESTABLISHED TCP 127.0.0.1:9094 0.0.0.0:0 LISTENING TCP 127.0.0.1:12025 0.0.0.0:0 LISTENING TCP 127.0.0.1:12080 0.0.0.0:0 LISTENING TCP 127.0.0.1:12110 0.0.0.0:0 LISTENING TCP 127.0.0.1:12119 0.0.0.0:0 LISTENING TCP 127.0.0.1:12143 0.0.0.0:0 LISTENING TCP 123.123.123.123:25 201.255.40.183:62323 TIME_WAIT TCP 123.123.123.123:80 200.61.53.112:1492 FIN_WAIT_2 TCP 123.123.123.123:80 200.114.226.119:6686 TIME_WAIT TCP 123.123.123.123:80 200.114.226.119:8151 TIME_WAIT TCP 123.123.123.123:80 200.114.226.119:8229 TIME_WAIT TCP 123.123.123.123:80 201.216.221.177:2285 TIME_WAIT TCP 123.123.123.123:80 201.252.128.57:3370 TIME_WAIT TCP 123.123.123.123:80 201.252.128.57:3390 TIME_WAIT TCP 123.123.123.123:80 201.252.128.57:3420 TIME_WAIT TCP 123.123.123.123:80 201.252.128.57:3422 TIME_WAIT TCP 123.123.123.123:80 201.252.128.57:3424 TIME_WAIT TCP 123.123.123.123:80 201.252.128.57:3435 TIME_WAIT TCP 123.123.123.123:80 201.252.128.57:3441 TIME_WAIT TCP 123.123.123.123:80 201.252.128.57:3444 TIME_WAIT TCP 123.123.123.123:80 201.252.128.57:3492 TIME_WAIT TCP 123.123.123.123:80 201.252.128.57:3537 TIME_WAIT TCP 123.123.123.123:80 201.252.128.57:3545 TIME_WAIT TCP 123.123.123.123:80 201.252.128.57:3567 TIME_WAIT TCP 123.123.123.123:80 201.252.128.57:3579 TIME_WAIT TCP 123.123.123.123:80 201.252.128.57:3593 TIME_WAIT TCP 123.123.123.123:80 201.252.128.57:3600 TIME_WAIT TCP 123.123.123.123:80 201.252.128.57:3628 TIME_WAITTCP 123.123.123.123:1150 123.123.123.123:8083 ESTABLISHED TCP 123.123.123.123:1171 123.123.123.123:9093 ESTABLISHED TCP 123.123.123.123:1172 123.123.123.123:9093 ESTABLISHED TCP 123.123.123.123:1352 123.123.123.123:2751 ESTABLISHED TCP 123.123.123.123:2751 123.123.123.123:1352 ESTABLISHEDTCP 123.123.123.123:8083 0.0.0.0:0 LISTENINGTCP 123.123.123.123:8083 123.123.123.123:1150 ESTABLISHED TCP 123.123.123.123:9093 123.123.123.123:1171 ESTABLISHED TCP 123.123.123.123:9093 123.123.123.123:1172 ESTABLISHEDUDP 123.123.123.123:500 *:* SERVER B <Some entries are lost> TCP 0.0.0.0:1211 0.0.0.0:0 LISTENING TCP 0.0.0.0:1212 0.0.0.0:0 LISTENING TCP 0.0.0.0:1213 0.0.0.0:0 LISTENING TCP 0.0.0.0:1214 0.0.0.0:0 LISTENING TCP 0.0.0.0:1215 0.0.0.0:0 LISTENING TCP 0.0.0.0:1216 0.0.0.0:0 LISTENING TCP 0.0.0.0:1217 0.0.0.0:0 LISTENING TCP 0.0.0.0:1218 0.0.0.0:0 LISTENING TCP 0.0.0.0:1219 0.0.0.0:0 LISTENING TCP 0.0.0.0:1220 0.0.0.0:0 LISTENING TCP 0.0.0.0:1221 0.0.0.0:0 LISTENING TCP 0.0.0.0:1222 0.0.0.0:0 LISTENING TCP 0.0.0.0:1223 0.0.0.0:0 LISTENING TCP 0.0.0.0:1224 0.0.0.0:0 LISTENING TCP 0.0.0.0:1225 0.0.0.0:0 LISTENING TCP 0.0.0.0:1226 0.0.0.0:0 LISTENING TCP 0.0.0.0:1227 0.0.0.0:0 LISTENING TCP 0.0.0.0:1228 0.0.0.0:0 LISTENING TCP 0.0.0.0:1229 0.0.0.0:0 LISTENING TCP 0.0.0.0:1230 0.0.0.0:0 LISTENING TCP 0.0.0.0:1231 0.0.0.0:0 LISTENING TCP 0.0.0.0:1232 0.0.0.0:0 LISTENING TCP 0.0.0.0:1233 0.0.0.0:0 LISTENING TCP 0.0.0.0:1234 0.0.0.0:0 LISTENING TCP 0.0.0.0:1235 0.0.0.0:0 LISTENING TCP 0.0.0.0:1236 0.0.0.0:0 LISTENING TCP 0.0.0.0:1237 0.0.0.0:0 LISTENING TCP 0.0.0.0:1238 0.0.0.0:0 LISTENING TCP 0.0.0.0:1239 0.0.0.0:0 LISTENING TCP 0.0.0.0:1240 0.0.0.0:0 LISTENING TCP 0.0.0.0:1241 0.0.0.0:0 LISTENING TCP 0.0.0.0:1242 0.0.0.0:0 LISTENING TCP 0.0.0.0:1243 0.0.0.0:0 LISTENING TCP 0.0.0.0:1244 0.0.0.0:0 LISTENING TCP 0.0.0.0:1245 0.0.0.0:0 LISTENING TCP 0.0.0.0:1246 0.0.0.0:0 LISTENING TCP 0.0.0.0:1247 0.0.0.0:0 LISTENING TCP 0.0.0.0:1248 0.0.0.0:0 LISTENING TCP 0.0.0.0:1249 0.0.0.0:0 LISTENING TCP 0.0.0.0:1250 0.0.0.0:0 LISTENING TCP 0.0.0.0:1251 0.0.0.0:0 LISTENING TCP 0.0.0.0:1252 0.0.0.0:0 LISTENING TCP 0.0.0.0:1253 0.0.0.0:0 LISTENING TCP 0.0.0.0:1254 0.0.0.0:0 LISTENING TCP 0.0.0.0:1255 0.0.0.0:0 LISTENING TCP 0.0.0.0:1256 0.0.0.0:0 LISTENING TCP 0.0.0.0:1257 0.0.0.0:0 LISTENING TCP 0.0.0.0:1258 0.0.0.0:0 LISTENING TCP 0.0.0.0:1259 0.0.0.0:0 LISTENING TCP 0.0.0.0:1260 0.0.0.0:0 LISTENING TCP 0.0.0.0:1261 0.0.0.0:0 LISTENING TCP 0.0.0.0:1262 0.0.0.0:0 LISTENING TCP 0.0.0.0:1263 0.0.0.0:0 LISTENING TCP 0.0.0.0:1265 0.0.0.0:0 LISTENING TCP 0.0.0.0:1266 0.0.0.0:0 LISTENING TCP 0.0.0.0:1267 0.0.0.0:0 LISTENING TCP 0.0.0.0:1268 0.0.0.0:0 LISTENING TCP 0.0.0.0:1269 0.0.0.0:0 LISTENING TCP 0.0.0.0:1270 0.0.0.0:0 LISTENING TCP 0.0.0.0:1271 0.0.0.0:0 LISTENING TCP 0.0.0.0:1272 0.0.0.0:0 LISTENING TCP 0.0.0.0:1273 0.0.0.0:0 LISTENING TCP 0.0.0.0:1274 0.0.0.0:0 LISTENING TCP 0.0.0.0:1275 0.0.0.0:0 LISTENING TCP 0.0.0.0:1276 0.0.0.0:0 LISTENING TCP 0.0.0.0:1277 0.0.0.0:0 LISTENING TCP 0.0.0.0:1278 0.0.0.0:0 LISTENING TCP 0.0.0.0:1279 0.0.0.0:0 LISTENING TCP 0.0.0.0:1280 0.0.0.0:0 LISTENING TCP 0.0.0.0:1281 0.0.0.0:0 LISTENING TCP 0.0.0.0:1282 0.0.0.0:0 LISTENING TCP 0.0.0.0:1283 0.0.0.0:0 LISTENING TCP 0.0.0.0:1352 0.0.0.0:0 LISTENING TCP 0.0.0.0:1503 0.0.0.0:0 LISTENING TCP 0.0.0.0:1516 0.0.0.0:0 LISTENING TCP 0.0.0.0:1533 0.0.0.0:0 LISTENING TCP 0.0.0.0:1928 0.0.0.0:0 LISTENING TCP 0.0.0.0:1980 0.0.0.0:0 LISTENING TCP 0.0.0.0:2278 0.0.0.0:0 LISTENING TCP 0.0.0.0:2283 0.0.0.0:0 LISTENING TCP 0.0.0.0:2284 0.0.0.0:0 LISTENING TCP 0.0.0.0:2285 0.0.0.0:0 LISTENING TCP 0.0.0.0:2289 0.0.0.0:0 LISTENING TCP 0.0.0.0:2298 0.0.0.0:0 LISTENING TCP 0.0.0.0:2443 0.0.0.0:0 LISTENING TCP 0.0.0.0:3525 0.0.0.0:0 LISTENING TCP 0.0.0.0:3527 0.0.0.0:0 LISTENING TCP 0.0.0.0:3750 0.0.0.0:0 LISTENING TCP 0.0.0.0:4061 0.0.0.0:0 LISTENING TCP 0.0.0.0:4144 0.0.0.0:0 LISTENING TCP 0.0.0.0:4145 0.0.0.0:0 LISTENING TCP 0.0.0.0:4146 0.0.0.0:0 LISTENING TCP 0.0.0.0:8081 0.0.0.0:0 LISTENING TCP 0.0.0.0:8082 0.0.0.0:0 LISTENING TCP 0.0.0.0:8987 0.0.0.0:0 LISTENING TCP 0.0.0.0:9093 0.0.0.0:0 LISTENING TCP 127.0.0.1:445 127.0.0.1:4061 ESTABLISHED TCP 127.0.0.1:1041 127.0.0.1:9092 ESTABLISHED TCP 127.0.0.1:1042 127.0.0.1:9092 ESTABLISHED TCP 127.0.0.1:1043 127.0.0.1:9092 ESTABLISHED TCP 127.0.0.1:1045 127.0.0.1:9092 ESTABLISHED TCP 127.0.0.1:1047 127.0.0.1:9092 ESTABLISHED TCP 127.0.0.1:1048 127.0.0.1:9092 ESTABLISHED TCP 127.0.0.1:1050 127.0.0.1:9092 ESTABLISHED TCP 127.0.0.1:1063 127.0.0.1:9092 ESTABLISHED TCP 127.0.0.1:1067 127.0.0.1:9092 ESTABLISHED TCP 127.0.0.1:1071 127.0.0.1:9092 ESTABLISHED TCP 127.0.0.1:1083 127.0.0.1:9092 ESTABLISHED TCP 127.0.0.1:1089 127.0.0.1:9092 ESTABLISHED TCP 127.0.0.1:1132 127.0.0.1:9092 ESTABLISHED TCP 127.0.0.1:1133 127.0.0.1:9092 ESTABLISHED TCP 127.0.0.1:1134 127.0.0.1:9092 ESTABLISHED TCP 127.0.0.1:1144 127.0.0.1:9092 ESTABLISHED TCP 127.0.0.1:1159 127.0.0.1:9092 ESTABLISHED TCP 127.0.0.1:1164 127.0.0.1:9092 ESTABLISHED TCP 127.0.0.1:1165 127.0.0.1:9092 ESTABLISHED TCP 127.0.0.1:1172 127.0.0.1:1173 ESTABLISHED TCP 127.0.0.1:1173 127.0.0.1:1172 ESTABLISHED TCP 127.0.0.1:1190 127.0.0.1:1191 ESTABLISHED TCP 127.0.0.1:1191 127.0.0.1:1190 ESTABLISHED TCP 127.0.0.1:1192 127.0.0.1:1193 ESTABLISHED TCP 127.0.0.1:1193 127.0.0.1:1192 ESTABLISHED TCP 127.0.0.1:1194 127.0.0.1:1516 ESTABLISHED TCP 127.0.0.1:1195 127.0.0.1:1196 ESTABLISHED TCP 127.0.0.1:1196 127.0.0.1:1195 ESTABLISHED TCP 127.0.0.1:1197 127.0.0.1:1198 ESTABLISHED TCP 127.0.0.1:1198 127.0.0.1:1197 ESTABLISHED TCP 127.0.0.1:1199 127.0.0.1:9092 ESTABLISHED TCP 127.0.0.1:1200 127.0.0.1:1516 ESTABLISHED TCP 127.0.0.1:1201 127.0.0.1:1202 ESTABLISHED TCP 127.0.0.1:1202 127.0.0.1:1201 ESTABLISHED TCP 127.0.0.1:1203 127.0.0.1:1204 ESTABLISHED TCP 127.0.0.1:1204 127.0.0.1:1203 ESTABLISHED TCP 127.0.0.1:1205 127.0.0.1:1516 ESTABLISHED TCP 127.0.0.1:1206 127.0.0.1:1207 ESTABLISHED TCP 127.0.0.1:1207 127.0.0.1:1206 ESTABLISHED TCP 127.0.0.1:1208 127.0.0.1:1209 ESTABLISHED TCP 127.0.0.1:1209 127.0.0.1:1208 ESTABLISHED TCP 127.0.0.1:1210 127.0.0.1:1516 ESTABLISHED TCP 127.0.0.1:1211 127.0.0.1:1212 ESTABLISHED TCP 127.0.0.1:1212 127.0.0.1:1211 ESTABLISHED TCP 127.0.0.1:1213 127.0.0.1:1214 ESTABLISHED TCP 127.0.0.1:1214 127.0.0.1:1213 ESTABLISHED TCP 127.0.0.1:1215 127.0.0.1:1516 ESTABLISHED TCP 127.0.0.1:1216 127.0.0.1:1217 ESTABLISHED TCP 127.0.0.1:1217 127.0.0.1:1216 ESTABLISHED TCP 127.0.0.1:1218 127.0.0.1:1219 ESTABLISHED TCP 127.0.0.1:1219 127.0.0.1:1218 ESTABLISHED TCP 127.0.0.1:1220 127.0.0.1:1516 ESTABLISHED TCP 127.0.0.1:1221 127.0.0.1:1222 ESTABLISHED TCP 127.0.0.1:1222 127.0.0.1:1221 ESTABLISHED TCP 127.0.0.1:1224 127.0.0.1:1225 ESTABLISHED TCP 127.0.0.1:1225 127.0.0.1:1224 ESTABLISHED TCP 127.0.0.1:1226 127.0.0.1:1516 ESTABLISHED TCP 127.0.0.1:1227 127.0.0.1:1228 ESTABLISHED TCP 127.0.0.1:1228 127.0.0.1:1227 ESTABLISHED TCP 127.0.0.1:1230 127.0.0.1:1231 ESTABLISHED TCP 127.0.0.1:1231 127.0.0.1:1230 ESTABLISHED TCP 127.0.0.1:1232 127.0.0.1:1516 ESTABLISHED TCP 127.0.0.1:1233 127.0.0.1:1234 ESTABLISHED TCP 127.0.0.1:1234 127.0.0.1:1233 ESTABLISHED TCP 127.0.0.1:1235 127.0.0.1:1236 ESTABLISHED TCP 127.0.0.1:1236 127.0.0.1:1235 ESTABLISHED TCP 127.0.0.1:1237 127.0.0.1:1516 ESTABLISHED TCP 127.0.0.1:1238 127.0.0.1:1239 ESTABLISHED TCP 127.0.0.1:1239 127.0.0.1:1238 ESTABLISHED TCP 127.0.0.1:1240 127.0.0.1:1241 ESTABLISHED TCP 127.0.0.1:1241 127.0.0.1:1240 ESTABLISHED TCP 127.0.0.1:1242 127.0.0.1:1516 ESTABLISHED TCP 127.0.0.1:1243 127.0.0.1:1244 ESTABLISHED TCP 127.0.0.1:1244 127.0.0.1:1243 ESTABLISHED TCP 127.0.0.1:1245 127.0.0.1:1246 ESTABLISHED TCP 127.0.0.1:1246 127.0.0.1:1245 ESTABLISHED TCP 127.0.0.1:1247 127.0.0.1:1516 ESTABLISHED TCP 127.0.0.1:1248 127.0.0.1:1249 ESTABLISHED TCP 127.0.0.1:1249 127.0.0.1:1248 ESTABLISHED TCP 127.0.0.1:1250 127.0.0.1:1251 ESTABLISHED TCP 127.0.0.1:1251 127.0.0.1:1250 ESTABLISHED TCP 127.0.0.1:1252 127.0.0.1:1516 ESTABLISHED TCP 127.0.0.1:1253 127.0.0.1:1254 ESTABLISHED TCP 127.0.0.1:1254 127.0.0.1:1253 ESTABLISHED TCP 127.0.0.1:1255 127.0.0.1:1256 ESTABLISHED TCP 127.0.0.1:1256 127.0.0.1:1255 ESTABLISHED TCP 127.0.0.1:1257 127.0.0.1:1516 ESTABLISHED TCP 127.0.0.1:1258 127.0.0.1:1259 ESTABLISHED TCP 127.0.0.1:1259 127.0.0.1:1258 ESTABLISHED TCP 127.0.0.1:1260 127.0.0.1:1261 ESTABLISHED TCP 127.0.0.1:1261 127.0.0.1:1260 ESTABLISHED TCP 127.0.0.1:1262 127.0.0.1:1263 ESTABLISHED TCP 127.0.0.1:1263 127.0.0.1:1262 ESTABLISHED TCP 127.0.0.1:1265 127.0.0.1:1266 ESTABLISHED TCP 127.0.0.1:1266 127.0.0.1:1265 ESTABLISHED TCP 127.0.0.1:1267 127.0.0.1:1268 ESTABLISHED TCP 127.0.0.1:1268 127.0.0.1:1267 ESTABLISHED TCP 127.0.0.1:1269 127.0.0.1:1516 ESTABLISHED TCP 127.0.0.1:1270 127.0.0.1:1271 ESTABLISHED TCP 127.0.0.1:1271 127.0.0.1:1270 ESTABLISHED TCP 127.0.0.1:1272 127.0.0.1:1516 ESTABLISHED TCP 127.0.0.1:1273 127.0.0.1:1274 ESTABLISHED TCP 127.0.0.1:1274 127.0.0.1:1273 ESTABLISHED TCP 127.0.0.1:1275 127.0.0.1:1516 ESTABLISHED TCP 127.0.0.1:1276 127.0.0.1:1277 ESTABLISHED TCP 127.0.0.1:1277 127.0.0.1:1276 ESTABLISHED TCP 127.0.0.1:1278 127.0.0.1:1279 ESTABLISHED TCP 127.0.0.1:1279 127.0.0.1:1278 ESTABLISHED TCP 127.0.0.1:1280 127.0.0.1:1516 ESTABLISHED TCP 127.0.0.1:1281 127.0.0.1:1282 ESTABLISHED TCP 127.0.0.1:1282 127.0.0.1:1281 ESTABLISHED TCP 127.0.0.1:1283 127.0.0.1:1516 ESTABLISHED TCP 127.0.0.1:1516 127.0.0.1:1194 ESTABLISHED TCP 127.0.0.1:1516 127.0.0.1:1200 ESTABLISHED TCP 127.0.0.1:1516 127.0.0.1:1205 ESTABLISHED TCP 127.0.0.1:1516 127.0.0.1:1210 ESTABLISHED TCP 127.0.0.1:1516 127.0.0.1:1215 ESTABLISHED TCP 127.0.0.1:1516 127.0.0.1:1220 ESTABLISHED TCP 127.0.0.1:1516 127.0.0.1:1226 ESTABLISHED TCP 127.0.0.1:1516 127.0.0.1:1232 ESTABLISHED TCP 127.0.0.1:1516 127.0.0.1:1237 ESTABLISHED TCP 127.0.0.1:1516 127.0.0.1:1242 ESTABLISHED TCP 127.0.0.1:1516 127.0.0.1:1247 ESTABLISHED TCP 127.0.0.1:1516 127.0.0.1:1252 ESTABLISHED TCP 127.0.0.1:1516 127.0.0.1:1257 ESTABLISHED TCP 127.0.0.1:1516 127.0.0.1:1269 ESTABLISHED TCP 127.0.0.1:1516 127.0.0.1:1272 ESTABLISHED TCP 127.0.0.1:1516 127.0.0.1:1275 ESTABLISHED TCP 127.0.0.1:1516 127.0.0.1:1280 ESTABLISHED TCP 127.0.0.1:1516 127.0.0.1:1283 ESTABLISHED TCP 127.0.0.1:1516 123.123.123.124:1264 ESTABLISHED TCP 127.0.0.1:4061 127.0.0.1:445 ESTABLISHED TCP 127.0.0.1:9092 0.0.0.0:0 LISTENING TCP 127.0.0.1:9092 127.0.0.1:1041 ESTABLISHED TCP 127.0.0.1:9092 127.0.0.1:1042 ESTABLISHED TCP 127.0.0.1:9092 127.0.0.1:1043 ESTABLISHED TCP 127.0.0.1:9092 127.0.0.1:1045 ESTABLISHED TCP 127.0.0.1:9092 127.0.0.1:1047 ESTABLISHED TCP 127.0.0.1:9092 127.0.0.1:1048 ESTABLISHED TCP 127.0.0.1:9092 127.0.0.1:1050 ESTABLISHED TCP 127.0.0.1:9092 127.0.0.1:1063 ESTABLISHED TCP 127.0.0.1:9092 127.0.0.1:1067 ESTABLISHED TCP 127.0.0.1:9092 127.0.0.1:1071 ESTABLISHED TCP 127.0.0.1:9092 127.0.0.1:1083 ESTABLISHED TCP 127.0.0.1:9092 127.0.0.1:1089 ESTABLISHED TCP 127.0.0.1:9092 127.0.0.1:1132 ESTABLISHED TCP 127.0.0.1:9092 127.0.0.1:1133 ESTABLISHED TCP 127.0.0.1:9092 127.0.0.1:1134 ESTABLISHED TCP 127.0.0.1:9092 127.0.0.1:1144 ESTABLISHED TCP 127.0.0.1:9092 127.0.0.1:1159 ESTABLISHED TCP 127.0.0.1:9092 127.0.0.1:1164 ESTABLISHED TCP 127.0.0.1:9092 127.0.0.1:1165 ESTABLISHED TCP 127.0.0.1:9092 127.0.0.1:1199 ESTABLISHED TCP 127.0.0.1:9094 0.0.0.0:0 LISTENING TCP 123.123.123.124:25 85.250.57.67:1278 TIME_WAIT TCP 123.123.123.124:25 201.25.170.200:4174 TIME_WAIT TCP 123.123.123.124:110 200.59.34.91:1050 TIME_WAIT TCP 123.123.123.124:110 200.59.34.91:2089 TIME_WAIT TCP 123.123.123.124:110 200.59.34.91:2090 TIME_WAIT TCP 123.123.123.124:110 200.59.34.91:2091 TIME_WAITTCP 123.123.123.124:1153 123.123.123.124:9093 ESTABLISHED TCP 123.123.123.124:1154 123.123.123.124:9093 ESTABLISHED TCP 123.123.123.124:1160 123.123.123.124:8083 ESTABLISHED TCP 123.123.123.124:1223 123.123.123.124:1516 ESTABLISHED TCP 123.123.123.124:1229 123.123.123.124:1516 ESTABLISHEDTCP 123.123.123.124:1264 0.0.0.0:0 LISTENING TCP 123.123.123.124:1264 127.0.0.1:1516 ESTABLISHED TCP 123.123.123.124:1352 200.43.70.147:1034 ESTABLISHED TCP 123.123.123.124:1352 200.43.70.147:1110 ESTABLISHED TCP 123.123.123.124:1352 200.43.70.147:1145 ESTABLISHED TCP 123.123.123.124:1352 200.43.70.147:1157 ESTABLISHED TCP 123.123.123.124:1352 200.43.70.147:1180 ESTABLISHED TCP 123.123.123.124:1352 200.43.70.147:1473 ESTABLISHED TCP 123.123.123.124:1352 200.59.34.91:2301 ESTABLISHEDTCP 123.123.123.124:1352 123.123.123.124:3750 ESTABLISHED TCP 123.123.123.124:1352 123.123.123.124:4144 ESTABLISHED TCP 123.123.123.124:1352 123.123.123.124:4145 ESTABLISHED TCP 123.123.123.124:1352 123.123.123.124:4146 ESTABLISHED TCP 123.123.123.124:1516 123.123.123.124:1223 ESTABLISHED TCP 123.123.123.124:1516 123.123.123.124:1229 ESTABLISHEDTCP 123.123.123.124:1533 200.43.70.147:1501 ESTABLISHEDTCP 123.123.123.124:3750 123.123.123.124:1352 ESTABLISHEDTCP 123.123.123.124:4066 200.43.70.147:1352 TIME_WAIT TCP 123.123.123.124:4088 200.43.70.147:1352 TIME_WAITTCP 123.123.123.124:4144 123.123.123.124:1352 ESTABLISHED TCP 123.123.123.124:4145 123.123.123.124:1352 ESTABLISHED TCP 123.123.123.124:4146 123.123.123.124:1352 ESTABLISHEDTCP 123.123.123.124:4535 200.59.34.91:1352 TIME_WAIT TCP 123.123.123.124:4536 200.43.70.147:1352 TIME_WAIT TCP 123.123.123.124:8083 0.0.0.0:0 LISTENINGTCP 123.123.123.124:8083 123.123.123.124:1160 ESTABLISHED TCP 123.123.123.124:9093 123.123.123.124:1153 ESTABLISHED TCP 123.123.123.124:9093 123.123.123.124:1154 ESTABLISHEDUDP 123.123.123.124:500 *:* If i run nmap from a machine inside this subnet I got for server A: serverD:~ # nmap -sT -p5-65535 123.123.123.123Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2006-01-26 13:59ARTStrange read error from 123.123.123.123 (104): Operation now in progress<Lots of this> Strange read error from 123.123.123.123 (104): Illegal seek <Some of this> Interesting ports on xxxxxx.xxxxxx.com (123.123.123.123): (The 65473 ports scanned but not shown below are in state: closed) Port State Service 25/tcp open smtp 80/tcp open http 110/tcp open pop-3 554/tcp open rtsp 1044/tcp open unknown 1057/tcp open unknown 1058/tcp open nim 1059/tcp open nimreg 1061/tcp open unknown 1063/tcp open unknown 1065/tcp open unknown 1068/tcp open instl_bootc 1080/tcp open socks 1082/tcp open unknown 1085/tcp open unknown 1097/tcp open unknown 1098/tcp open unknown 1102/tcp open unknown 1144/tcp open unknown 1148/tcp open unknown 1149/tcp open unknown 1150/tcp open unknown 1162/tcp open unknown 1171/tcp open unknown 1172/tcp open unknown 1177/tcp open unknown 1178/tcp open skkserv 1179/tcp open unknown 1186/tcp open unknown 1187/tcp open unknown 1352/tcp open lotusnotes 1503/tcp open imtc-mcs 2751/tcp open unknown 3919/tcp open unknown 3921/tcp open unknown 3924/tcp open unknown 3926/tcp open unknown 3927/tcp open unknown 3928/tcp open unknown 3939/tcp open unknown 3942/tcp open unknown 3989/tcp open unknown 3993/tcp open unknown 3998/tcp open unknown 4001/tcp open unknown 4006/tcp open unknown 4009/tcp open unknown 4014/tcp open unknown 4017/tcp open unknown 4018/tcp open unknown 4020/tcp open unknown 4025/tcp open unknown 8081/tcp open blackice-icecap 8083/tcp open unknown 9093/tcp open unknown 63148/tcp open unknownNmap run completed -- 1 IP address (1 host up) scanned in 11.533 secondsAnd for server B: ServerD:~ # nmap -sT -p5-65535 123.123.123.124Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2006-01-26 14:03ART Interesting ports on yyyyy.yyyyy.com (123.123.123.124): (The 65513 ports scanned but not shown below are in state: closed) Port State Service 25/tcp open smtp 80/tcp open http 110/tcp open pop-3 143/tcp open imap2 554/tcp open rtsp 1025/tcp open NFS-or-IIS 1352/tcp open lotusnotes 1503/tcp open imtc-mcs 1516/tcp open vpad 1533/tcp open virtual-places 8081/tcp open blackice-icecap 8082/tcp open blackice-alerts 8987/tcp open unknown 9093/tcp open unknownNmap run completed -- 1 IP address (1 host up) scanned in 16.718 secondsThe ports open on server B are Ok. I know who is listening in each one.But I can't say the same about server A.if I do a telnet from server B to A, to any port listed in nmap in which Iknow (or at least believe to know) there shouldn't be any service listening (lets say port 2751) i get this: serverA:~ # telnet 123.123.123.124 2751 Trying 123.123.123.124... Connected to 123.123.123.124. Escape character is '^]'. Connection closed by foreign host. serverA:~ # I have some questions that I can't answer yet:1.- What is the real meaning of all those ports open in both machines ataddress 0.0.0.0 ?. It's ok have to many ?.2.- Who/what is listening in port 2751 (and in others ones) on server A?Any help/hint will be apreciated !!!I have run Antivirus & Antispyware without any successfull in server A.---------------------------------------------------------------------- -----EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The Norwich University program offers unparalleled Infosec managementeducation and the case study affords you unmatched consulting experience.Tailor your education to your own professional goals with degreecustomizations including Emergency Management, Business Continuity Planning,Computer Emergency Response Teams, and Digital Investigations. http://www.msia.norwich.edu/secfocus---------------------------------------------------------------------- -----
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (Darwin) iD8DBQFD3MYi2VKEoIQBZwkRApE3AKDJgjxI0vHLBEN328r5fVJKjtbdNQCguQ+B B5FXyVE0+8SPu6hnvPOO8gU= =Ylji -----END PGP SIGNATURE----- --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Server Compromised ? Daniel Gil (Jan 26)
- Re: Server Compromised ? Aman Raheja (Jan 27)
- Re: Server Compromised ? Ivan . (Jan 27)
- Re: Server Compromised ? Ansgar -59cobalt- Wiechers (Jan 27)
- Re: Server Compromised ? List Spam (Jan 27)
- Re: Server Compromised ? Leif Ericksen (Jan 27)
- Re: Server Compromised ? xyberpix (Jan 30)
- <Possible follow-ups>
- Re: Server Compromised ? Daniel Gil (Jan 30)