Board index Linux Security

Need help ... Port 31337

Need help ... Port 31337

Post by -Anonymous » Sat, 28 Apr 2001 05:00:18



Hi all,

Mandrake 7.2  runing:

Apache ( 1.3.14 )
Bind ( 8.2.3 )

I just did a routine port scan and found port 31137 open .. I killed all
non-essential programs and the port was closed.
I suspect a rootkit (?)  ... need help ..

-James

 
 
 
Top

Need help ... Port 31337

Post by Jan Van der Veke » Sat, 28 Apr 2001 05:17:48




> Hi all,

> Mandrake 7.2  runing:

> Apache ( 1.3.14 )
> Bind ( 8.2.3 )

> I just did a routine port scan and found port 31137 open .. I killed all
> non-essential programs and the port was closed. I suspect a rootkit (?)
> ... need help ..

lsof -i tcp:31137

This should give you the name of the process that
listens on the port. Check if it is something familiar.

If this reveals nothing, but the portscan does ...
something fishy is going on and you may have been rooted.

Jan Van der Veken

 
 
 
Top

Need help ... Port 31337

Post by -Anonymous » Sat, 28 Apr 2001 05:59:52


Thanks for the prompt reply !!

Just to be sure, I'm actually doing a fresh install on a new box so that I
can "swap" the machines and test the (possibly) comprpmised box offline.

-James





> > Hi all,

> > Mandrake 7.2  runing:

> > Apache ( 1.3.14 )
> > Bind ( 8.2.3 )

> > I just did a routine port scan and found port 31137 open .. I killed all
> > non-essential programs and the port was closed. I suspect a rootkit (?)
> > ... need help ..

> lsof -i tcp:31137

> This should give you the name of the process that
> listens on the port. Check if it is something familiar.

> If this reveals nothing, but the portscan does ...
> something fishy is going on and you may have been rooted.

> Jan Van der Veken

 
 
 
Top

Need help ... Port 31337

Post by Luke Voge » Sat, 28 Apr 2001 06:18:16



> Thanks for the prompt reply !!

> Just to be sure, I'm actually doing a fresh install on a new box so that I
> can "swap" the machines and test the (possibly) comprpmised box offline.

> -James





> > > Hi all,

> > > Mandrake 7.2  runing:

> > > Apache ( 1.3.14 )
> > > Bind ( 8.2.3 )

> > > I just did a routine port scan and found port 31137 open .. I killed all
> > > non-essential programs and the port was closed. I suspect a rootkit (?)
> > > ... need help ..

Did I read that correctly?  

Sir, you seem to be in a league of your own when it comes to commonsense
practice.  Well done.  Please feel free to ask all the questions you
like.

--
Regards
Luke
------
But it does move!
                -- Galileo Galilei
------
http://www.bell-bird.com.au
PLEASE NOTE: Spamgard (tm) installed.

------

 
 
 
Top

Need help ... Port 31337

Post by . » Sat, 28 Apr 2001 10:54:46



Quote:> Hi all,

> Mandrake 7.2  runing:

> Apache ( 1.3.14 )
> Bind ( 8.2.3 )

> I just did a routine port scan and found port 31137 open .. I killed all
> non-essential programs and the port was closed.
> I suspect a rootkit (?)  ... need help ..

See www.chkrootkit.org and download their root
kit checker program.

Possibly try the adore worm finder too.
http://www.ists.dartmouth.edu/IRIA/knowledge_base/tools/adorefind.htm

Unpatched versions of bind are wide open for
root compromises. See http://www.sans.org/y2k/adore.htm

 
 
 
Top

1. port 31337 w/ nmap

When I have "net.inet.tcp.blackhole: 2" set, nmap shows the following:
31337/tcp  filtered    Elite  

(other ports I have accessible from the outside are identd, domain (DNS)
and ssh).

Full output from outside the firewall:
(The 1598 ports scanned but not shown below are in state: closed)
Port       State       Service
22/tcp     open        ssh                    
53/tcp     open        domain                  
113/tcp    open        auth              

When I set the value to "0", this doesn't show up. I haven't seen any
evidence that I have been h4x0r3d, but this is a little unsettling... is
this a sort-of-funny joke in FreeBSD (or nmap), or should I be
concerned? I cannot see this port in netstat output (even if I copy the
netstat binary from another fbsd 4.8 machine), nor can I connect to it
from localhost or from outside. I do not, however, see this behavior
with another 4.8 box.

FreeBSD 4.8; nmap v 3.00.

--
No copies, please.
To reply privately, simply reply; don't remove anything.

2. <*****ZIP DRIVE INFO PLEASE ?******>

3. UDP port 31337 probes?

4. : How to profile X-appl. without profiled X-libs

5. Funny story about port 31337...

6. acessing floppies or cdrom!!!

7. Chkrootkit--bindshell INFECTED (ports: 31337)

8. HP JetDirect via router

9. Port 31337

10. UDP port 31337 probes?

11. Need help porting DOS app that uses parallel port

12. Need help porting DOS app that uses parallel port (Part II)

13. *** Port Mapping (or Port Forwarding), need help fast PLEASE ***


All times are UTC
Board index