[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: hacked?

From: "Moe Binkerman" <moebinkerman@hotmail.com>
To: debian-user@lists.debian.org
Subject: Re: hacked?
Date: Mon, 16 Jun 2003 20:44:13 -0400

From: Joey Hess <joeyh@debian.org>
To: debian-user@lists.debian.org
Subject: Re: hacked?
Date: Mon, 16 Jun 2003 11:51:55 -0400

Moe Binkerman wrote:
> I've noticed something odd, I did an nmap localhost after messing with
> inetd.conf, and say a weird port open.
> I ran it again and it wasn't there. Mostly I see just the normal services > I am running, but 1 in a dozen nmap scans (as root) show some ports that
> are open for a second or so. Why would these ports be open, below is an
> example of some of the ports.
> I put an nmap localhost in loop to capture the info, also I ran a ps -ef > in a loop and I let it run for a couple of days and I didn't see anything
> unusual. Am I hacked?
> 1359/tcp   open        ftsrv
> 2120/tcp   open        kauth
> 2241/tcp   open        ivsd
> 1452/tcp   open        gtegsc-lm
> 4444/tcp   open        krb524
> 3306/tcp   open        mysql
> 1358/tcp   open        connlcli
> 1652/tcp   open        xnmp
> 1433/tcp   open        ms-sql-s
> 3389/tcp   open        msrdp
> 1506/tcp   open        utcd
> 1386/tcp   open        checksum
> 2021/tcp   open        servexec
> 2564/tcp   open        hp-3000-telnet
> 1445/tcp   open        proxima-lm
> 1369/tcp   open        gv-us
> 1444/tcp   open        marcam-lm

These are all nonstandard high ports above 1024. Anytime your system
makes an outgoing TCP connection it will open an unused high port of
this type and use it. Maybe that's what it is -- depending on the type
of port scan you did I suppose they could show up.

netstat will list them along with what they're connected to at the other

tcp 0 0 client132.fre.commu:www egspd403.teoma.co:35243 ESTABLISHED tcp 0 0 client132.fre.commu:www egspd403.teoma.co:34962 TIME_WAIT tcp 0 0 client132.fre.commu:www egspd403.teoma.co:34807 TIME_WAIT tcp 0 0 client132.fre.commu:www egspd403.teoma.co:34523 TIME_WAIT tcp 0 0 client132.fre.commu:www cr012r01-3.sac2.fa:1186 TIME_WAIT tcp 0 0 client132.fre.commu:www cr038r01-2.sac2.fa:1110 TIME_WAIT tcp 0 0 client132.fre.commu:www cr038r01-2.sac2.fa:1057 TIME_WAIT

see shy jo
<< attach3 >>

The scan was simply:
nmap localhost

run as root so its icmp pings, I thought nmap only would find ports that are being listened on, not say a port that's being used as part of an outbound connection. I've never seen these high ports before in my scans. I've run scans many times in the past experiementing with my debian system and the services it can run. To me it seems strange I've never noticed them before, but now I can find them quite easily, while my use of nmap is the same. I'll man nmap to see what I can puzzle out.

Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963

To UNSUBSCRIBE, email to debian-user-request@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

I installed another box and put it in the first box's place. I've run my script that scans the ports every 30 seconds for about 10 hours so far, and not a single strange port was listed, while the old box had several hundreds of odd ports open in just 1 day of scans. Once I noticed the odd ports, I could reproduce it by hand at will. These high ports have yet to show up in a scan of the new box.

from the nmap man page it says:

Open means that the target machine will accept() connections on that port.

Does that include a port used to communicate with a remote webserver from inside my network via NAT? I've tried scanning my box, while generating a lot of webtraffic and I have not been able to see these ports via nmap, so I don't think so. Wouldn't a packet that's not part of its connection, one from a random communication attempt be dropped because its sequence, etc are all wrong?

Lets just say the old box is not getting back on my network until after I wipe it.

Add photos to your messages with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail

Reply to: