Strange Behaviour !

From: Naseer Bhatti (naseerat_private)
Date: Fri Oct 26 2001 - 10:47:58 PDT

  • Next message: dewt: "Re: Xterm"

        and finaly I am posting this to Incodents
    Hi, I am administrating a Linux box running RedHat 7.1 with 2.4.2-2 kernel.
    Infact it's my fiend's box..anyway.. I noticed strange behaviour on the
    system. First of all strange ports are opened and the system is also on some
    sort of Firewall. Let me explain in detail.
    My Observations ...
    Active Internet connections (servers and established)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State
    tcp        0      0*               LISTEN
    tcp        0      0    *               LISTEN
    like this is the output of netstat -an. I see here port 32768 listening oon
    but can't find any data when telnet 0 32768. This port seems to be something
    filenet-tms 32768/tcp # Filenet TMS
    filenet-tms 32768/udp # Filenet TMS
    filenet-rpc 32769/udp # Filenet RPC
    filenet-rpc 32769/tcp # Filenet RPC
    filenet-nch 32770/udp # Filenet NCH
    filenet-nch 32770/tcp # Filenet NCH
    (404s mostly - courtecy )
    Sorry, I don't have knowledge about filenet-tms. Second problem is that On
    nmaping the box from outside the domain, say some other network, It shows
    12345/tcp  filtered    NetBus
    31337/tcp  filtered    Elite
    now this shows both the ports are listening on the box but are filtered but
    I don't see any use of ipchains or any sort of firewall on the system.
    Netstat on the localhost don't show these ports. Interesting thing about
    this is, that If I try to connect to these both ports from localhost, I get
    connection refused and If I try to do it from other network, I don't get any
    reply just on these two ports. Which indicates that the trojan is making
    some sort of protection from its master.
    My Conclusions...
    ok, what I think about all this is that the system is root compromised and
    some sort of rootkit is installed on it. Getting all over the logs I see the
    sshd was exploited (log shows tremendous amount of .. terminated on signal
    15 .. with some unknown IPs). I also can't see any ./h4hax0r kind of process
    running, which makes me force to think of rootkit.
    Thats all, We can have discussions on that. I will be waiting for responces.
    Thanks for the patience of reading this all.
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Fri Oct 26 2001 - 10:55:23 PDT