From: <cristian-debian@corpo5.com.br>
Reply-To: cristian-debian@corpo5.com.br
To: debian-user@lists.debian.org
Subject: Re: hacked?
Date: Wed, 18 Jun 2003 12:07:08 -0300
On Wed, 18 Jun 2003 09:59:54 -0400, "Moe Binkerman" <moebinkerman>
enscreveu:
> De: "Moe Binkerman" <moebinkerman>
> Data: Wed, 18 Jun 2003 09:59:54 -0400
> Para: moebinkerman@hotmail.com
> Assunto: Re: hacked?
>
> >From: "Moe Binkerman" <moebinkerman>
> >To: debian-user@lists.debian.org
> >Subject: Re: hacked?
> >Date: Mon, 16 Jun 2003 20:44:13 -0400
> >
> >
> >
> >>From: Joey Hess <joeyh>
> >>To: debian-user@lists.debian.org
> >>Subject: Re: hacked?
> >>Date: Mon, 16 Jun 2003 11:51:55 -0400
> >>
> >>Moe Binkerman wrote:
> >> > I've noticed something odd, I did an nmap localhost after messing
with
> >> > inetd.conf, and say a weird port open.
> >> > I ran it again and it wasn't there. Mostly I see just the normal
> >>services
> >> > I am running, but 1 in a dozen nmap scans (as root) show some ports
> >>that
> >> > are open for a second or so. Why would these ports be open, below
is an
> >> > example of some of the ports.
> >> >
> >> > I put an nmap localhost in loop to capture the info, also I ran a
ps
> >>-ef
> >> > in a loop and I let it run for a couple of days and I didn't see
> >>anything
> >> > unusual. Am I hacked?
> >> >
> >> >
> >> > 1359/tcp open ftsrv
> >> > 2120/tcp open kauth
> >> > 2241/tcp open ivsd
> >> > 1452/tcp open gtegsc-lm
> >> > 4444/tcp open krb524
> >> > 3306/tcp open mysql
> >> > 1358/tcp open connlcli
> >> > 1652/tcp open xnmp
> >> > 1433/tcp open ms-sql-s
> >> > 3389/tcp open msrdp
> >> > 1506/tcp open utcd
> >> > 1386/tcp open checksum
> >> > 2021/tcp open servexec
> >> > 2564/tcp open hp-3000-telnet
> >> > 1445/tcp open proxima-lm
> >> > 1369/tcp open gv-us
> >> > 1444/tcp open marcam-lm
> >>
> >>These are all nonstandard high ports above 1024. Anytime your system
> >>makes an outgoing TCP connection it will open an unused high port of
> >>this type and use it. Maybe that's what it is -- depending on the type
> >>of port scan you did I suppose they could show up.
> >>
> >>netstat will list them along with what they're connected to at the
other
> >>end:
> >>
> >>tcp 0 0 client132.fre.commu:www egspd403.teoma.co:35243
> >>ESTABLISHED
> >>tcp 0 0 client132.fre.commu:www egspd403.teoma.co:34962
> >>TIME_WAIT
> >>tcp 0 0 client132.fre.commu:www egspd403.teoma.co:34807
> >>TIME_WAIT
> >>tcp 0 0 client132.fre.commu:www egspd403.teoma.co:34523
> >>TIME_WAIT
> >>tcp 0 0 client132.fre.commu:www cr012r01-3.sac2.fa:1186
> >>TIME_WAIT
> >>tcp 0 0 client132.fre.commu:www cr038r01-2.sac2.fa:1110
> >>TIME_WAIT
> >>tcp 0 0 client132.fre.commu:www cr038r01-2.sac2.fa:1057
> >>TIME_WAIT
> >>
> >>--
> >>see shy jo
> >><< attach3 >>
> >
> >
> >The scan was simply:
> >nmap localhost
> >
> >run as root so its icmp pings, I thought nmap only would find ports
that
> >are being listened on, not say a port that's being used as part of an
> >outbound connection. I've never seen these high ports before in my
scans.
> >I've run scans many times in the past experiementing with my debian
system
> >and the services it can run. To me it seems strange I've never noticed
> >them before, but now I can find them quite easily, while my use of
nmap is
> >the same. I'll man nmap to see what I can puzzle out.
> >
> >_________________________________________________________________
> >Protect your PC - get McAfee.com VirusScan Online
> >http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
> >
> >
> >--
> >To UNSUBSCRIBE, email to debian-user-request@lists.debian.org with a
> >subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
> >
>
> I installed another box and put it in the first box's place. I've run my
> script that scans the ports every 30 seconds for about 10 hours so far,
and
> not a single strange port was listed, while the old box had several
hundreds
> of odd ports open in just 1 day of scans. Once I noticed the odd ports,
I
> could reproduce it by hand at will. These high ports have yet to show up
in
> a scan of the new box.
>
> from the nmap man page it says:
>
> Open means that the target machine will accept() connections on that
port.
>
> Does that include a port used to communicate with a remote webserver
from
> inside my network via NAT? I've tried scanning my box, while generating
a
> lot of webtraffic and I have not been able to see these ports via nmap,
so I
> don't think so. Wouldn't a packet that's not part of its connection, one
> from a random communication attempt be dropped because its sequence, etc
are
> all wrong?
>
> Lets just say the old box is not getting back on my network until after
I
> wipe it.
>
Do you think would be wise to wipe out the old box without
finding out how it was hacked or at least, if it is
actually hacked?
Over here we also have a suspicious box (a Woody one).
But it had been quite hard to see if it really cracked.
Normal commands like ps -ax, pstree, netstat -ap, lsmod,
top shows nothing but expected.
Then we tried chkrootkit (from debian main
repository, ver. 0.35-1)... nothing :-(
So apt-get --reinstall install the following packages:
- net-tools
- util-linux
- fileutils
- findutils
- procps
- psmisc
- textutils,
just to be sure the commands are the original ones, and
those binaries were not modified by a rootkit.
The output was the same.
Nessus (also from debian main rep) agains the box dump
tons of open ports and security holes!
It could be a hidden lkm (the third generation as it is said). But we
actually don't know.
Someone has directed us to http://s0ftpj.org/en/site.html
were you can find kstat. We have not find another tool with
that porpouse. We are on that now.
So, would be nice if any one else could point out another link
to keep going...
cheers,
Cristian
--
To UNSUBSCRIBE, email to debian-user-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org