Security Incidents mailing list archives
Re: backdoor or bot?
From: Jon Lewis <jlewis () LEWIS ORG>
Date: Wed, 27 Dec 2000 14:41:04 -0500
On Wed, 27 Dec 2000, Brian Caswell wrote:
painkeeper login: My guess is, this is a backdoor.Nah, its most likely someone script kiddie has added an issue.net onto his ub3r ch3llz b0xz cause it he thinks it looks reet. Remember Hanlon's Razor : Never attribute to malice that which can be adequately explained by stupidity.
Sure...it could be a bot...but the bigger picture suggests to me that it's not, or that even if it is, it's still an owned system. Here we have a Red Hat box in Korea. It appears to be doing no access control (via ipchains or tcp_wrappers) for the standard services, most of which have been left running. It's scanning portions of the internet for other systems to break into (that's how I found it). It has a couple things listening for connections on odd ports, including what looks like sshd on port 7879, yet there's no sshd on port 22. This tells me someone has broken in, installed some scanning software, perhaps setup a bot, and probably installed a backdoor version of ssh so they can't be watched via a packet sniffer. ---------------------------------------------------------------------- Jon Lewis *jlewis () lewis org*| I route System Administrator | therefore you are Atlantic Net | _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
Current thread:
- backdoor or bot? Jon Lewis (Dec 27)
- Re: backdoor or bot? Robert van der Meulen (Dec 27)
- Re: backdoor or bot? Dave Dittrich (Dec 27)
- Re: backdoor or bot? Daniel Wittenberg (Dec 27)
- Re: backdoor or bot? Aviram Jenik (Dec 27)
- Re: backdoor or bot? Mark Symonds (Dec 28)
- Re: backdoor or bot? George Milliken (Dec 28)
- Re: backdoor or bot? Mark Collins (Dec 28)
- <Possible follow-ups>
- Re: backdoor or bot? Jon Lewis (Dec 27)
- Re: backdoor or bot? Patrick Oonk (Dec 28)
- Re: backdoor or bot? Calhoun, Heath (Dec 27)
- Re: backdoor or bot? Robert van der Meulen (Dec 27)