[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: BackOrifice on Linux?

on Wed, Jan 29, 2003 at 10:15:23AM -0600, Kent West (westk@acu.edu) wrote:
> Rob Weir wrote:
> >On Tue, Jan 28, 2003 at 04:43:51PM -0600, Kent West wrote:
> >
> >>I just ran the command "sudo nmap  -sT -sU localhost" which listed the 
> >>following:

> >>12345/tcp  open        NetBus                 
> >>12346/tcp  open        NetBus                 
> >>27665/tcp  open        Trinoo_Master          
> >>31335/udp  open        Trinoo_Register        

> >>Should I be concerned, or is this maybe part of portsentry or something 
> >>similar?

> Looks like it may just be part of portsentry. Thanks!
> >westek[westk]:/home/westk> sudo netstat -ntuple
> >Active Internet connections (only servers)
> >Proto Recv-Q Send-Q Local Address           Foreign Address         
> >State       User       Inode      PID/Program name  
> >tcp        0      0     *               
> >LISTEN      0          2168       701/portsentry     
> >tcp        0      0 *               
> >LISTEN      0          2201       701/portsentry     
> >tcp        0      0 *               

One of the annoying aspects of portsentry is that it opens the ports it
listens on.  This can lead to false-positive alerts when scanning your
own systems.

Snort is another package which detects traffic on ports but doesn't open
them.  I'd recommend it as an alternative.


Karsten M. Self <kmself@ix.netcom.com>        http://kmself.home.netcom.com/
 What Part of "Gestalt" don't you understand?
   The Amazon "one-click" patent boycott -- yes, it continues:

Reply to: