Re: backdoor or bot?

[Jon Lewis <jlewis () LEWIS ORG>]

On Wed, 27 Dec 2000, Brian Caswell wrote:

> > painkeeper login:
> >
> > My guess is, this is a backdoor.
>
> Nah, its most likely someone script kiddie has added an issue.net onto
> his ub3r ch3llz b0xz cause it he thinks it looks reet. Remember Hanlon's
> Razor : Never attribute to malice that which can be adequately explained
> by stupidity.

Sure...it could be a bot...but the bigger picture suggests to me that it's
not, or that even if it is, it's still an owned system.  Here we have a
Red Hat box in Korea.  It appears to be doing no access control (via
ipchains or tcp_wrappers) for the standard services, most of which have
been left running.  It's scanning portions of the internet for other
systems to break into (that's how I found it).  It has a couple things
listening for connections on odd ports, including what looks like sshd on
port 7879, yet there's no sshd on port 22.

This tells me someone has broken in, installed some scanning software,
perhaps setup a bot, and probably installed a backdoor version of ssh so
they can't be watched via a packet sniffer.

----------------------------------------------------------------------
 Jon Lewis *jlewis () lewis org*|  I route
 System Administrator        |  therefore you are
 Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________