Re: Strange service on Port 5656

["Neal K. Groothuis" <ngroot-securityfocus () lo-cal org>]

I suspect that Nessus detected this as "time server" because
it returned a 32-bit value and then closed the connection, which
is what standard time service does (see RFC 868 / STD 26.)  
However, even if we assume that the eighth bit of each of those
bytes was zeroed by telnet to get printable characters, the
maximum value that that could be is a2acada1 (decimal 2,729,225,633,)
and the approximate number of seconds from midnight Jan 1 1900 by
my calculations is 3,256,092,000 (103.25 * 365 * 24 *60 * 60),
and that's a pretty big discrepancy.  Plus, as was already pointed
out, that's a non-standard port for timeservice.  The owners of
that box should definitely see what process is listening on that port!

                                                - neal

On Wed, Apr 16, 2003 at 07:19:26PM +0200, B F wrote:
> while conducting one of those tests this list was made
> for, I stumbled over a TCP Service on Port 5656. If I
> netcat on this port the following "banner" is displayed:
> ",!-
>
> When I enter something at this prompt the
> connection is closed immediately. Nessus detects this
> service as time server, can anyone confirm/ deny that?
> If this is no time server did someone see this banner
> before? The host in question is a SuSE Linux System and
> has a vulnerable (OpenSSH 2.1.1) SSH daemon running,
> so maybe this service is part of a rootkit?

-- 
A faith; this is a necessity for man. Woe to him who believes nothing.
                                                --Victor Hugo
                                                  Les Miserables
PGP key available upon request or at http://www.imsa.edu/~ngroot/

Attachment: _bin
Description: