I suspect that Nessus detected this as "time server" because it returned a 32-bit value and then closed the connection, which is what standard time service does (see RFC 868 / STD 26.) However, even if we assume that the eighth bit of each of those bytes was zeroed by telnet to get printable characters, the maximum value that that could be is a2acada1 (decimal 2,729,225,633,) and the approximate number of seconds from midnight Jan 1 1900 by my calculations is 3,256,092,000 (103.25 * 365 * 24 *60 * 60), and that's a pretty big discrepancy. Plus, as was already pointed out, that's a non-standard port for timeservice. The owners of that box should definitely see what process is listening on that port! - neal On Wed, Apr 16, 2003 at 07:19:26PM +0200, B F wrote: > while conducting one of those tests this list was made > for, I stumbled over a TCP Service on Port 5656. If I > netcat on this port the following "banner" is displayed: > ",!- > > When I enter something at this prompt the > connection is closed immediately. Nessus detects this > service as time server, can anyone confirm/ deny that? > If this is no time server did someone see this banner > before? The host in question is a SuSE Linux System and > has a vulnerable (OpenSSH 2.1.1) SSH daemon running, > so maybe this service is part of a rootkit? -- A faith; this is a necessity for man. Woe to him who believes nothing. --Victor Hugo Les Miserables PGP key available upon request or at http://www.imsa.edu/~ngroot/
This archive was generated by hypermail 2b30 : Wed Apr 16 2003 - 15:51:24 PDT