Security Incidents mailing list archives
Re: Port UDP 3049
From: Thomas Akin <takin () kennesaw edu>
Date: 14 Mar 2002 05:58:54 -0000
In-Reply-To: <Pine.LNX.4.43.0203110937340.11382-100000 () mail securityfocus com> I recently had an unpatched redhat 7.2 machine hacked. I discovered a UDP port 3049 listening process... The process binary was ./v After the compromise I recorded most of the volatile info and finding a binary 'v' in "/dev/.. " (three spaces) and assumed it was the ./v listening to 3049. Mistake. The ./v in the "/dev/.. " directory was the Vanish II program. Now I have to analyze the unallocated inodes to find the ./v program listening to port 3049. Biggest problem now is time. They keep me busy around here.... Will post the findings as time permits.... Thomas Akin -- Thomas Akin, CISSP Director, Southeast Cybercrime Institute takin () kennesaw edu www.cybercrime.kennesaw.edu ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Port UDP 3049 Ryan Russell (Mar 10)
- RE: Port UDP 3049 Paulo . Sedrez (Mar 11)
- RE: Port UDP 3049 Ryan Russell (Mar 11)
- <Possible follow-ups>
- Re: Port UDP 3049 Thomas Akin (Mar 14)
- RE: Port UDP 3049 Paulo . Sedrez (Mar 11)