Re: who owns the ports?
* Matthias G. Imhof <mgi@VT.EDU> [010207 15:32]:
> Performing strobe or nmap on my system, I get, e.g., the following list:
>
> 79/tcp open finger
> 119/tcp open nntp
> 143/tcp open imap2
> 540/tcp open uucp
> 6667/tcp open irc
> 12345/tcp open NetBus
> 12346/tcp open NetBus
> 31337/tcp open Elite
>
> However, lsof -i tcp:79 yields nothing. Similarly with the others.
> In addition, there should be no irc running, finger is commented from the
> inetd.conf, and so on.
>
> Why do these ports respond to strobe or nmap? Which process controlls them?
My immediate guess, upon seeing anything running on 31337, is that
you've been "0wn3d", as the script kiddies put it, and maybe lsof has
been trojaned not to list the attacker's processes.
You are running lsof as root, right? It won't show you everything as an
ordinary user.
You don't say what version of Debian you're running. If you're running
potato or unstable on x86, with lsof-2.2 4.48-1, here's the md5sum for it:
be8cf28300c29db5dffbea19fd613abf /usr/sbin/lsof
If that's not it, it's a trojan. I'd guess that other useful tools for
finding out what's going on, e.g. ls and ps and fuser, have been
trojaned as well. (Although you might want to try "fuser 31337/tcp",
maybe the attacker forgot about it.)
Reinstall fileutils, procps, psmisc, lsof-2.2, and findutils if you're
interested in further investigation.
--
Brock Sides
csides@autozone.com
The original plan [for GNOME] was to aim to make a desktop as good as
the Macintosh, and we should not lower our ambition by making one
merely as good as Windows. -- RMS
Reply to: