Strange Behaviour !

From: Naseer Bhatti (naseerat_private)
Date: Fri Oct 26 2001 - 10:47:58 PDT

Previous message: Valdis.Kletnieksat_private: "Re: TCP/2484"
Next in thread: dewt: "Re: Strange Behaviour !"
Reply: dewt: "Re: Strange Behaviour !"
Reply: Christian Vogel: "Re: Strange Behaviour !"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

[...]
    and finaly I am posting this to Incodents
[...]

Hi, I am administrating a Linux box running RedHat 7.1 with 2.4.2-2 kernel.
Infact it's my fiend's box..anyway.. I noticed strange behaviour on the
system. First of all strange ports are opened and the system is also on some
sort of Firewall. Let me explain in detail.

My Observations ...

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:32768        0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:98              0.0.0.0:*               LISTEN

[...]

like this is the output of netstat -an. I see here port 32768 listening oon
but can't find any data when telnet 0 32768. This port seems to be something
like

filenet-tms 32768/tcp # Filenet TMS
http://www.seifried.org/security/ports/32768.html
filenet-tms 32768/udp # Filenet TMS
http://www.seifried.org/security/ports/32768.html
filenet-rpc 32769/udp # Filenet RPC
http://www.seifried.org/security/ports/32769.html
filenet-rpc 32769/tcp # Filenet RPC
http://www.seifried.org/security/ports/32769.html
filenet-nch 32770/udp # Filenet NCH
http://www.seifried.org/security/ports/32770.html
filenet-nch 32770/tcp # Filenet NCH
http://www.seifried.org/security/ports/32770.html

(404s mostly - courtecy http://www.seifried.org/security/ports/services.gz )

Sorry, I don't have knowledge about filenet-tms. Second problem is that On
nmaping the box from outside the domain, say some other network, It shows

[...]

12345/tcp  filtered    NetBus
31337/tcp  filtered    Elite

[...]

now this shows both the ports are listening on the box but are filtered but
I don't see any use of ipchains or any sort of firewall on the system.
Netstat on the localhost don't show these ports. Interesting thing about
this is, that If I try to connect to these both ports from localhost, I get
connection refused and If I try to do it from other network, I don't get any
reply just on these two ports. Which indicates that the trojan is making
some sort of protection from its master.

My Conclusions...

ok, what I think about all this is that the system is root compromised and
some sort of rootkit is installed on it. Getting all over the logs I see the
sshd was exploited (log shows tremendous amount of .. terminated on signal
15 .. with some unknown IPs). I also can't see any ./h4hax0r kind of process
running, which makes me force to think of rootkit.

Thats all, We can have discussions on that. I will be waiting for responces.


Thanks for the patience of reading this all.

Naseer


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: dewt: "Re: Xterm"
Previous message: Valdis.Kletnieksat_private: "Re: TCP/2484"
Next in thread: dewt: "Re: Strange Behaviour !"
Reply: dewt: "Re: Strange Behaviour !"
Reply: Christian Vogel: "Re: Strange Behaviour !"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Oct 26 2001 - 10:55:23 PDT