[...] and finaly I am posting this to Incodents [...] Hi, I am administrating a Linux box running RedHat 7.1 with 2.4.2-2 kernel. Infact it's my fiend's box..anyway.. I noticed strange behaviour on the system. First of all strange ports are opened and the system is also on some sort of Firewall. Let me explain in detail. My Observations ... Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:32768 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:98 0.0.0.0:* LISTEN [...] like this is the output of netstat -an. I see here port 32768 listening oon but can't find any data when telnet 0 32768. This port seems to be something like filenet-tms 32768/tcp # Filenet TMS http://www.seifried.org/security/ports/32768.html filenet-tms 32768/udp # Filenet TMS http://www.seifried.org/security/ports/32768.html filenet-rpc 32769/udp # Filenet RPC http://www.seifried.org/security/ports/32769.html filenet-rpc 32769/tcp # Filenet RPC http://www.seifried.org/security/ports/32769.html filenet-nch 32770/udp # Filenet NCH http://www.seifried.org/security/ports/32770.html filenet-nch 32770/tcp # Filenet NCH http://www.seifried.org/security/ports/32770.html (404s mostly - courtecy http://www.seifried.org/security/ports/services.gz ) Sorry, I don't have knowledge about filenet-tms. Second problem is that On nmaping the box from outside the domain, say some other network, It shows [...] 12345/tcp filtered NetBus 31337/tcp filtered Elite [...] now this shows both the ports are listening on the box but are filtered but I don't see any use of ipchains or any sort of firewall on the system. Netstat on the localhost don't show these ports. Interesting thing about this is, that If I try to connect to these both ports from localhost, I get connection refused and If I try to do it from other network, I don't get any reply just on these two ports. Which indicates that the trojan is making some sort of protection from its master. My Conclusions... ok, what I think about all this is that the system is root compromised and some sort of rootkit is installed on it. Getting all over the logs I see the sshd was exploited (log shows tremendous amount of .. terminated on signal 15 .. with some unknown IPs). I also can't see any ./h4hax0r kind of process running, which makes me force to think of rootkit. Thats all, We can have discussions on that. I will be waiting for responces. Thanks for the patience of reading this all. Naseer ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Oct 26 2001 - 10:55:23 PDT