-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Saturday 19 April 2003 7:49 am, Anders Karlsson wrote: you need to pay a little more attention...
On Sat, 2003-04-19 at 14:43, Adam Leach wrote: [...]
The system seems really unsecure. I just did a simple port scan and found the following services running. I wouldn't normally do that, however the attack has now been going on for nearly 24 hours.
He it talking about scanning the system INITIATING the attack, not his own system -- while in some cases this could be considered malicious, in this case it is easy enough to defend his actions for the reason he said: he has been under attack for 24 hours -- a single return scan to ascertain the status or capability of the attacker is a reasonable thing to do.
Starting nmap V. 3.00 ( www.insecure.org/nmap/ ) Interesting ports on kes.wirehub.nl (195.86.128.45):
note the IP address... [...]
1020/tcp open unknown 1021/tcp open unknown 1022/tcp open unknown 1023/tcp open unknown
No idea what these are for, I'd be suspicious of anything that I am not 100% certain of what it is.
12346/tcp filtered NetBus 31337/tcp filtered Elite
No idea what the NetBus stuff is, so I'd be naturally suspicious, and the Elite port tells me you have been had, as in hacked. Port 31337 is a known backdoor port.
I agree with the final analisys here -- the last for "privileged" ports [1020-1023], "elite", and netbus are reasonably good indications of hacked systems -- the actual owner of 192.86.128.45 may be completely unaware of the actions being taken by his system [though I'll bet internet access for THAT person seems "sluggish" ;) ] The "spam" you reported earlier may be due to a similar cause -- this system is a zombie, probably is an open relay [well, you did find sendmail to be open...] and probably at the top of many cracker lists of systems to own... hopefully the ISP of the other system will recognize this fact and take appropriate action [such as suggesting appropriate firewall software to their customer -- outright dropping service won't do anyone any good because the person who owns that system won't know it needs fixing...] - -- Yet another Blog: http://osnut.homelinux.net -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) Comment: http://osnut.homelinux.net/TomEmerson.asc iD8DBQE+oWbdV/YHUqq2SwsRAhMAAJ0WpBDeDAo6fIBYCQfvpIACl2WLfACgmfnX EAFYKvuwUv00FKfyOhZP3IA= =UE+x -----END PGP SIGNATURE-----