[WBEL-users] Port information for 9865 and 44464
Benjamin Smith
lists at benjamindsmith.com
Fri Jun 24 03:50:56 CDT 2005
I hafta admit: it doesn't look good.
A few things to try:
lsof | less
(look thru the list, see if anything jumps out at you. It's a LONG list)
netstat -ln
(helps you see why the ports are open)
Don't forget chkrootkit (google for it)
Other things: do a `find / -iname \.\*` to find "dot" (hidden) files. Look
thru /tmp closely. Look thru /var/log/messages, /var/log/httpd/error_log and
any other HTTPD log files. If you can find out approx. when a compromise took
place, use find with the "mtime" and "ctime" options to find any files
created within a day or so of that initial hack.
More info from a honeypot project:
http://www.honeynet.org/scans/scan29/sol/ydjemaiel/Answers.html
Best of luck,
-Ben
On Friday 24 June 2005 01:32, Plug N Play wrote:
> Dear WBL Users,
>
> Greetings,
>
> Today, I have discovered two new high ports opened from my server. Port 9865
> and 44464 are both opened and listening to outside. Would anyone happen to
> know or have idea that you can share regarding this two ports?
>
> Also I tried to telnet them (telnet localhost 9865 or 44464) and it gives me
> a (sh-2.05b$). Could this mean a hacker has setup a backdoor? or I'm already
> being compromised?
>
> Any information would be very much appreciated.
>
> Thank you,
> Marc
>
>
>
> --
> No virus found in this outgoing message.
> Checked by AVG Anti-Virus.
> Version: 7.0.323 / Virus Database: 267.8.0/27 - Release Date: 6/23/2005
>
> _______________________________________________
> Whitebox-users mailing list
> Whitebox-users at beau.org
> http://beau.org/mailman/listinfo/whitebox-users
>
--
"The best way to predict the future is to invent it."
- XEROX PARC slogan, circa 1978
More information about the Whitebox-users
mailing list