Full Disclosure mailing list archives
Ever cought BitchX listening on a port ?
From: nc () stormvault net (Nicolas Couture)
Date: Sun, 29 Sep 2002 14:58:29 -0400
--=-6ubJR2C0CFUKN9uijKOU Content-Type: text/plain Content-Transfer-Encoding: quoted-printable The version of BitchX used in the fallowing suprise is the lastest debian package from mirrors.kernel.org installed with apt-get. Suprise from BitchX fallows --- cut --- + dimension:/home/remote# nmap -sS -vv -P0 -p 1-65535 127.0.0.1 + + Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ ) + Host dimension (127.0.0.1) appears to be up ... good. + Initiating SYN Stealth Scan against dimension (127.0.0.1) + Adding open port 21/tcp + adjust_timeout: packet supposedly had rtt of 9246519 microseconds.=20 + Ignoring time. + adjust_timeout: packet supposedly had rtt of 21246336 microseconds.=20 + Ignoring time. + Adding open port 54655/tcp=20 ... + dimension:/home/remote# netstat -tap | grep 54655 + tcp 0 0 *:54655 *:* =20 + LISTEN 28549/BitchX + + dimension:/home/remote# killall BitchX + + dimension:/home/remote# netstat -tap | grep 54655 + + dimension:/home/remote# nmap -sS -vv -P0 -p 1-65535 127.0.0.1 + + Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ ) + Host dimension (127.0.0.1) appears to be up ... good. + Initiating SYN Stealth Scan against dimension (127.0.0.1) + Adding open port 32768/tcp + adjust_timeout: packet supposedly had rtt of 9199896 microseconds.=20 + Ignoring time. + Adding open port 22/tcp + adjust_timeout: packet supposedly had rtt of 21199929 microseconds.=20 + Ignoring time. + adjust_timeout: packet supposedly had rtt of 10193384 microseconds.=20 + Ignoring time. + adjust_timeout: packet supposedly had rtt of 22193084 microseconds.=20 + Ignoring time. + Adding open port 6000/tcp + adjust_timeout: packet supposedly had rtt of 45199938 microseconds.=20 + Ignoring time. + Adding open port 21/tcp + adjust_timeout: packet supposedly had rtt of 8996397 microseconds.=20 + Ignoring time. + The SYN Stealth Scan took 88 seconds to scan 65535 ports. + Interesting ports on dimension (127.0.0.1): + (The 65531 ports scanned but not shown below are in state: closed) + Port State Service + 21/tcp open ftp + 22/tcp open ssh + 6000/tcp open X11 + 32768/tcp open unknown + + +Nmap run completed -- 1 IP address (1 host up) scanned in 88 seconds +++ And netstat agreed +++ --- cut --- Additional info: After this incident I tried to reproduce the same thing many times without success. There was in no case any DCC used on this bitchx session (which should bring the client to listen on a port) which was the only one running on that box. Unfortunately I do not have the required skills to go anymore further in that case. A question I have: What would have being usefull to run to gain more information about this? I.E. if it was a bitchx exploit I could have caught it in action using x IDS or something similar. Thanks, Nicolas Couture --=-6ubJR2C0CFUKN9uijKOU Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQA9l01Vd17l5+gQnrQRAqCaAJ9H8xQOSund/p/6DacFqHueyu6RGQCg4J5x usFgBgiYPcKgLg7lloRuMps= =a63e -----END PGP SIGNATURE----- --=-6ubJR2C0CFUKN9uijKOU--
Current thread:
- Ever cought BitchX listening on a port ? Nicolas Couture (Sep 29)
- Ever cought BitchX listening on a port ? Dave Wilson (Sep 29)