On April 16, 2003 08:19 pm, B F wrote: > When I enter something at this prompt the > connection is closed immediately. That response is clearly characteristic of rootkit backdoors. > Nessus detects this service as time server, can anyone confirm/ deny that? I have never heard of a time daemon using this port for anything. If the banner it yields resembles that of a time server, it may cause nessus to report it as such. The fact that it does doesn't really prove anything, as it is also a common tactic to make a rootkit yield a known banner in order to subvert suspicion. > The host in question is a SuSE Linux System and > has a vulnerable (OpenSSH 2.1.1) SSH daemon running, > so maybe this service is part of a rootkit? That is probably very likely. This device (system) is also most likely quite old, and an attacker may have even exploited a different service to gain access, then disabled it. The system is clearly a security risk, and, in my opinion, most likely compromised. Craig Holmes --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-pen-test ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Wed Apr 16 2003 - 14:44:10 PDT