Security Incidents mailing list archives
Strange Behaviour !
From: "Naseer Bhatti" <naseer () fibre net pk>
Date: Fri, 26 Oct 2001 22:47:58 +0500
[...]
and finaly I am posting this to Incodents
[...]
Hi, I am administrating a Linux box running RedHat 7.1 with 2.4.2-2 kernel.
Infact it's my fiend's box..anyway.. I noticed strange behaviour on the
system. First of all strange ports are opened and the system is also on some
sort of Firewall. Let me explain in detail.
My Observations ...
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:32768 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:98 0.0.0.0:* LISTEN
[...]
like this is the output of netstat -an. I see here port 32768 listening oon
but can't find any data when telnet 0 32768. This port seems to be something
like
filenet-tms 32768/tcp # Filenet TMS
http://www.seifried.org/security/ports/32768.html
filenet-tms 32768/udp # Filenet TMS
http://www.seifried.org/security/ports/32768.html
filenet-rpc 32769/udp # Filenet RPC
http://www.seifried.org/security/ports/32769.html
filenet-rpc 32769/tcp # Filenet RPC
http://www.seifried.org/security/ports/32769.html
filenet-nch 32770/udp # Filenet NCH
http://www.seifried.org/security/ports/32770.html
filenet-nch 32770/tcp # Filenet NCH
http://www.seifried.org/security/ports/32770.html
(404s mostly - courtecy http://www.seifried.org/security/ports/services.gz )
Sorry, I don't have knowledge about filenet-tms. Second problem is that On
nmaping the box from outside the domain, say some other network, It shows
[...]
12345/tcp filtered NetBus
31337/tcp filtered Elite
[...]
now this shows both the ports are listening on the box but are filtered but
I don't see any use of ipchains or any sort of firewall on the system.
Netstat on the localhost don't show these ports. Interesting thing about
this is, that If I try to connect to these both ports from localhost, I get
connection refused and If I try to do it from other network, I don't get any
reply just on these two ports. Which indicates that the trojan is making
some sort of protection from its master.
My Conclusions...
ok, what I think about all this is that the system is root compromised and
some sort of rootkit is installed on it. Getting all over the logs I see the
sshd was exploited (log shows tremendous amount of .. terminated on signal
15 .. with some unknown IPs). I also can't see any ./h4hax0r kind of process
running, which makes me force to think of rootkit.
Thats all, We can have discussions on that. I will be waiting for responces.
Thanks for the patience of reading this all.
Naseer
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Current thread:
- Strange Behaviour ! Naseer Bhatti (Oct 26)
- Re: Strange Behaviour ! dewt (Oct 26)
- Re: Strange Behaviour ! Naseer Bhatti (Oct 26)
- Re: Strange Behaviour ! Christian Vogel (Oct 26)
- Re: Strange Behaviour ! dewt (Oct 26)