Re: Server Compromised ?

[Ansgar -59cobalt- Wiechers <bugtraq () planetcobalt net>]

On 2006-01-26 Daniel Gil wrote:
> I have got two servers (let's say server A 123.123.123.123 & server B
> 123.123.123.124) behind my ISP firewall.

If you must obfuscate addresses, please do not use live ones for it.

> Both are W2k, and if I run 'netstat -an' I get similar results:

[ Lots of open ports ]

> I have some questions that I can't answer yet:
>
> 1.- What is the real meaning of all those ports open in both machines
> at address 0.0.0.0 ?.

That means there are services listening on that port on all interfaces.

> It's ok have to many ?.

That depends on what services you want to provide. Usually I'd say no.

> 2.- Who/what is listening in port 2751 (and in others ones) on server A?

That can be most anything. You'll need to find out what process is bound
to that port and what this process is supposed to do. TCPView [1],
OpenPorts [2], fport [3] or Vision [4] may help.

[1] http://www.sysinternals.com/Utilities/TcpView.html
[2] http://www.diamondcs.com.au/openports/
[3] http://www.foundstone.com/resources/proddesc/fport.htm
[4] http://www.foundstone.com/resources/proddesc/vision.htm

Regards
Ansgar Wiechers
-- 
"All vulnerabilities deserve a public fear period prior to patches
becoming available."
--Jason Coombs on Bugtraq

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------