[WBEL-users] Port information for 9865 and 44464
Johnny Hughes
mailing-lists at hughesjr.com
Fri Jun 24 04:47:16 CDT 2005
On Fri, 2005-06-24 at 01:50 -0700, Benjamin Smith wrote:
> I hafta admit: it doesn't look good.
>
> A few things to try:
>
> lsof | less
> (look thru the list, see if anything jumps out at you. It's a LONG list)
>
> netstat -ln
> (helps you see why the ports are open)
>
> Don't forget chkrootkit (google for it)
>
> Other things: do a `find / -iname \.\*` to find "dot" (hidden) files. Look
> thru /tmp closely. Look thru /var/log/messages, /var/log/httpd/error_log and
> any other HTTPD log files. If you can find out approx. when a compromise took
> place, use find with the "mtime" and "ctime" options to find any files
> created within a day or so of that initial hack.
>
> More info from a honeypot project:
> http://www.honeynet.org/scans/scan29/sol/ydjemaiel/Answers.html
>
> Best of luck,
>
> -Ben
>
>
>
> On Friday 24 June 2005 01:32, Plug N Play wrote:
> > Dear WBL Users,
> >
> > Greetings,
> >
> > Today, I have discovered two new high ports opened from my server. Port 9865
> > and 44464 are both opened and listening to outside. Would anyone happen to
> > know or have idea that you can share regarding this two ports?
> >
> > Also I tried to telnet them (telnet localhost 9865 or 44464) and it gives me
> > a (sh-2.05b$). Could this mean a hacker has setup a backdoor? or I'm already
> > being compromised?
> >
> > Any information would be very much appreciated.
> >
> > Thank you,
> > Marc
If you telnet to the port and get a bash prompt, it is almost guaranteed
that you are hacked and have trojans listening on that port.
Use the command:
netstat -aptn
it will tell you open ports and what program has them open.
It is possible that these ports will not show up if there has been a
root kit that replaces lsof (it will also so what program uses which
port) or netstat.
you can use the command:
rpm -Vv net-tools
and
rpm -Vv lsof
You should see 8 dots, a blank space (or c for config file and d
document), and all the files listed similar to this (for lsof on
CentOS-4):
--------------------------------------------
[root at centosj i386]# rpm -Vv lsof
........ /usr/sbin/lsof
........ /usr/share/doc/lsof-4.72
........ d /usr/share/doc/lsof-4.72/00.README.FIRST
........ d /usr/share/doc/lsof-4.72/00.README.FIRST_4.72
........ d /usr/share/doc/lsof-4.72/00CREDITS
........ d /usr/share/doc/lsof-4.72/00DCACHE
........ d /usr/share/doc/lsof-4.72/00DIALECTS
........ d /usr/share/doc/lsof-4.72/00DIST
........ d /usr/share/doc/lsof-4.72/00FAQ
........ d /usr/share/doc/lsof-4.72/00LSOF-L
........ d /usr/share/doc/lsof-4.72/00MANIFEST
........ d /usr/share/doc/lsof-4.72/00PORTING
........ d /usr/share/doc/lsof-4.72/00QUICKSTART
........ d /usr/share/doc/lsof-4.72/00README
........ d /usr/share/doc/lsof-4.72/00TEST
........ d /usr/share/doc/lsof-4.72/00XCONFIG
........ d /usr/share/man/man8/lsof.8.gz
--------------------------------------------------------
If any of the dots are replace with letters, something about that file
has changed since install from the RPM ... see "man rpm" in the "Verify
Options" for details
Root Kits will replace executables with other ones that don't show the
rogue processes or ports as open ... also check here for ports tied to
specific treats:
http://isc.sans.org/
It is critical that all updates be done in a timely manner for all
internet facing machines ... or at least that you run a good iptables
firewall on internet facing machines that only allows connections that
are necessary.
-- Johnny Hughes
<http://www.CentOS.org>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://beau.org/pipermail/whitebox-users/attachments/20050624/8bfa99ae/attachment.bin
More information about the Whitebox-users
mailing list