Re: Strange Behaviour !

From: Naseer Bhatti (naseerat_private)
Date: Fri Oct 26 2001 - 11:29:29 PDT

  • Next message: Christian Vogel: "Re: Strange Behaviour !"

    Despite all the debate, This is for sure that the system is being
    comrpomised by some sort of rootkit, but this is not the point here to prove
    that the system is compromised with a rootkit or not. What I am trying to do
    is that to see and gather the information about the binaries replaced on the
    system and try to avoind all such things in the future.
    
    This might be helpfull for maybe others in case the same guy tries to
    ./h4x0r some other box. rpc.statd and linuxconf web access is stopped as the
    init scripts.
    
    I see a file in /dev/data/scaner with attrivutes, crwx--x--x This c
    attribute makes is suspicious. This is not a regular /dev entry and it is
    also 0 byte file. So can't view it or see it with strings. The rest of the
    thing is that I get a new copy of all the netstat, lsof and other similar
    tools and get a close look of the binaries. The purpose of posting this here
    was just to save time from examining all the files.
    
    Thats all  ..
    
    Naseer
    
    
    ----- Original Message -----
    From: "dewt" <dewtat_private>
    To: "Naseer Bhatti" <naseerat_private>; "Incidents"
    <incidentsat_private>
    Sent: Friday, October 26, 2001 11:13 PM
    Subject: Re: Strange Behaviour !
    
    
    > On Friday 26 October 2001 12:47 pm, Naseer Bhatti wrote:
    > > [...]
    > >     and finaly I am posting this to Incodents
    > > [...]
    > >
    > > Hi, I am administrating a Linux box running RedHat 7.1 with 2.4.2-2
    kernel.
    > > Infact it's my fiend's box..anyway.. I noticed strange behaviour on the
    > > system. First of all strange ports are opened and the system is also on
    > > some sort of Firewall. Let me explain in detail.
    > >
    > > My Observations ...
    > >
    > > Active Internet connections (servers and established)
    > > Proto Recv-Q Send-Q Local Address           Foreign Address
    State
    > > tcp        0      0 0.0.0.0:32768        0.0.0.0:*               LISTEN
    > > tcp        0      0 0.0.0.0:98              0.0.0.0:*
    LISTEN
    > >
    > > [...]
    > >
    > > like this is the output of netstat -an. I see here port 32768 listening
    oon
    > > but can't find any data when telnet 0 32768. This port seems to be
    > > something like
    > >
    > the one on port 32768 is rpc.statd (to stop it from running do
    > /etc/rc.d/init.d/nfslock stop) and is normal to be there, the second is
    the
    > linuxconf web port which will only be on if you have that turned on (to
    stop
    > it do /etc/rc.d/init.d/linuxconf stop) that will only stop it temporarily,
    to
    > stop it permanetly run ntsysv and deselect them from the list (use space
    to
    > do that)
    >
    >
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Fri Oct 26 2001 - 11:52:43 PDT