Re: Strange service on Port 5656

[H Carvey <keydet89 () yahoo com>]

In-Reply-To: <200304162335.02476.Leusent () link-net org>

Craig,

> > When I enter something at this prompt the
> > connection is closed immediately.
> That response is clearly characteristic of rootkit
backdoors.

Can you elaborate?  I'm more familiar w/ Windows
systems, but given what little information has been
provided, I'm wondering what it is that you're seeing
that leads to this conclusion.

> > Nessus detects this service as time server, can
anyone confirm/ deny that?
> I have never heard of a time daemon using this port
for anything. If the 
> banner it yields resembles that of a time server, it
may cause nessus to 
> report it as such. The fact that it does doesn't
really prove anything, as it 
> is also a common tactic to make a rootkit yield a
known banner in order to subvert suspicion.

This statement leads me to ask my question again...how
is it that you know, without more information, that
this system has been compromised?
 
I would have suggested further activities, such as
running lsof or fuser on the system, to find the
path/name of the executable image that's bound to that
port.  

Thanks,

Harlan

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place.  http://www.securityfocus.com/BlackHat-pen-test 
----------------------------------------------------------------------------