Ever cought BitchX listening on a port ?

[nc () stormvault net (Nicolas Couture)]

--=-6ubJR2C0CFUKN9uijKOU
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

The version of BitchX used in the fallowing suprise is the lastest
debian package from mirrors.kernel.org installed with apt-get.

Suprise from BitchX fallows
                                --- cut ---
+ dimension:/home/remote# nmap -sS -vv -P0 -p 1-65535 127.0.0.1
+
+ Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
+ Host dimension (127.0.0.1) appears to be up ... good.
+ Initiating SYN Stealth Scan against dimension (127.0.0.1)
+ Adding open port 21/tcp
+ adjust_timeout: packet supposedly had rtt of 9246519 microseconds.=20
+ Ignoring time.
+ adjust_timeout: packet supposedly had rtt of 21246336 microseconds.=20
+ Ignoring time.
+ Adding open port 54655/tcp=20
...

+ dimension:/home/remote# netstat -tap | grep 54655
+ tcp        0      0 *:54655                 *:*                   =20
+ LISTEN      28549/BitchX
+
+ dimension:/home/remote# killall BitchX
+
+ dimension:/home/remote# netstat -tap | grep 54655
+
+ dimension:/home/remote# nmap -sS -vv -P0 -p 1-65535 127.0.0.1
+
+ Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
+ Host dimension (127.0.0.1) appears to be up ... good.
+ Initiating SYN Stealth Scan against dimension (127.0.0.1)
+ Adding open port 32768/tcp
+ adjust_timeout: packet supposedly had rtt of 9199896 microseconds.=20
+ Ignoring time.
+ Adding open port 22/tcp
+ adjust_timeout: packet supposedly had rtt of 21199929 microseconds.=20
+ Ignoring time.
+ adjust_timeout: packet supposedly had rtt of 10193384 microseconds.=20
+ Ignoring time.
+ adjust_timeout: packet supposedly had rtt of 22193084 microseconds.=20
+ Ignoring time.
+ Adding open port 6000/tcp
+ adjust_timeout: packet supposedly had rtt of 45199938 microseconds.=20
+ Ignoring time.
+ Adding open port 21/tcp
+ adjust_timeout: packet supposedly had rtt of 8996397 microseconds.=20
+ Ignoring time.
+ The SYN Stealth Scan took 88 seconds to scan 65535 ports.
+ Interesting ports on dimension (127.0.0.1):
+ (The 65531 ports scanned but not shown below are in state: closed)
+ Port       State       Service
+ 21/tcp     open        ftp
+ 22/tcp     open        ssh
+ 6000/tcp   open        X11
+ 32768/tcp  open        unknown
+
+
+Nmap run completed -- 1 IP address (1 host up) scanned in 88 seconds

+++ And netstat agreed +++
                                --- cut ---

Additional info:

After this incident I tried to reproduce the same thing many times
without success.

There was in no case any DCC used on this bitchx session (which should
bring the client to listen on a port) which was the only one running on
that box.

Unfortunately I do not have the required skills to go anymore further in
that case.


A question I have:

What would have being usefull to run to gain more information about
this? I.E. if it was a bitchx exploit I could have caught it in action
using x IDS or something similar.

Thanks,
        Nicolas Couture


--=-6ubJR2C0CFUKN9uijKOU
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQA9l01Vd17l5+gQnrQRAqCaAJ9H8xQOSund/p/6DacFqHueyu6RGQCg4J5x
usFgBgiYPcKgLg7lloRuMps=
=a63e
-----END PGP SIGNATURE-----

--=-6ubJR2C0CFUKN9uijKOU--