[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: who owns the ports?

* Matthias G. Imhof <mgi@VT.EDU> [010207 15:32]:

> Performing strobe or nmap on my system, I get, e.g., the following list:
> 79/tcp     open        finger                  
> 119/tcp    open        nntp                    
> 143/tcp    open        imap2                   
> 540/tcp    open        uucp                    
> 6667/tcp   open        irc                     
> 12345/tcp  open        NetBus                  
> 12346/tcp  open        NetBus                  
> 31337/tcp  open        Elite                   
> However, lsof -i tcp:79 yields nothing. Similarly with the others.
> In addition, there should be no irc running, finger is commented from the
> inetd.conf, and so on.
> Why do these ports respond to strobe or nmap? Which process controlls them?

My immediate guess, upon seeing anything running on 31337, is that
you've been "0wn3d", as the script kiddies put it, and maybe lsof has
been trojaned not to list the attacker's processes.

You are running lsof as root, right? It won't show you everything as an
ordinary user.

You don't say what version of Debian you're running. If you're running
potato or unstable on x86, with lsof-2.2 4.48-1, here's the md5sum for it:

be8cf28300c29db5dffbea19fd613abf  /usr/sbin/lsof

If that's not it, it's a trojan. I'd guess that other useful tools for
finding out what's going on, e.g. ls and ps and fuser, have been
trojaned as well. (Although you might want to try "fuser 31337/tcp",
maybe the attacker forgot about it.)

Reinstall fileutils, procps, psmisc, lsof-2.2, and findutils if you're
interested in further investigation.

Brock Sides

The original plan [for GNOME] was to aim to make a desktop as good as 
the Macintosh, and we should not lower our ambition by making one 
merely as good as Windows. -- RMS 

Reply to: