Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Server Compromised ?

From: List Spam <listspam () gmail com>
Date: Fri, 27 Jan 2006 07:25:36 -0800
On 1/26/06, Daniel Gil <Daniel.Gil () itcon com ar> wrote:


Iam a bit confused.



<snip>


I have some questions that I can't answer yet:

1.- What is the real meaning of all those ports open in both machines at
address

0.0.0.0 ?. It's ok have to many ?.


0.0.0.0 simply means "all addresses".  Therefore, anything listening
on 0.0.0.0 will be served on any IP defined on your box.  As to if
it's okay to have that many, you need to find out the expected ports
for all services you know you want running on it, then compare.  If
you don't expect it, then it's not okay.


2.- Who/what is listening in port 2751 (and in others ones) on server A?


There are standard port definitions (e.g. 80/tcp for HTTP), but you
can make any service listen on any port supported by the protocol
(e.g. 8080/tcp for HTTP).  Since these are W2K boxes, the included
version of NETSTAT.EXE does not have the "-o" switch, which tiese the
port to a PID.  A freeware utility from SysInternals, called TCPVIEW
will provide this functionality in a nice little GUI for you.  Google
for it.  Many of their tools are quite valuable in sorting through
these kind of things - beyond simple identification of a listening
process.  Other tools exist for this purpose as well.  Google for
Foundstone and check out their freeware too.


Any help/hint will be apreciated !!!

I have run Antivirus & Antispyware without any successfull in server A.


Does the software not run successfully or simply does not report
anything untoward?  Either way, if you suspect the box is compromised,
don't trust the output.  If you prove the box is uncompromised, either
fix your AV/Spyware software (if the former condition is true), or
take the output as verification the box is not compromised (if the
latter is true).

My two cents.

RE

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: