('binary' encoding is not supported, stored as-is) In-Reply-To: <200304162335.02476.Leusent@link-net.org> Craig, >> When I enter something at this prompt the >> connection is closed immediately. >That response is clearly characteristic of rootkit backdoors. Can you elaborate? I'm more familiar w/ Windows systems, but given what little information has been provided, I'm wondering what it is that you're seeing that leads to this conclusion. >> Nessus detects this service as time server, can anyone confirm/ deny that? >I have never heard of a time daemon using this port for anything. If the >banner it yields resembles that of a time server, it may cause nessus to >report it as such. The fact that it does doesn't really prove anything, as it >is also a common tactic to make a rootkit yield a known banner in order to subvert suspicion. This statement leads me to ask my question again...how is it that you know, without more information, that this system has been compromised? I would have suggested further activities, such as running lsof or fuser on the system, to find the path/name of the executable image that's bound to that port. Thanks, Harlan --------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-pen-test ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu Apr 17 2003 - 09:06:42 PDT