On Wednesday 25 December 2002 10.36, Matthias Hentges wrote:
Am Mit, 2002-12-25 um 09.57 schrieb Dirk Kutsche:
Hi Sven,
Sven 'Darkman' Michels schrieb:
looks like a backdoor. Check if any port is open on your box who souldn't be there.
The standard security-check mailed me: * Changes (+: new entries, -: removed entries): + bi wwwrun TCP *:4000 (LISTEN) + bi wwwrun TCP *:443 (LISTEN) + bi wwwrun TCP *:80 (LISTEN)
It looks like a second process is listening at 443/80 -- because apache incl. ssl worked fine.
Huh? Since when can a port be used twice? I'd say "bi" is a tronjaned version of apache and the original apache isn't running at all.
I wonder why his using port 4000..? That used to be the old ICQ protocol if i'm not mistaken... Can it be a password sniffer? Posing as Apache, and logging(?) all passwords sent thru http, hhtps and ICQ.... Just a thought... -- /Rikard ------------------------------------------------------------------------------------ Rikard Johnels email : rjhn@linux.nu Web : http://www.rikjoh.com Mob : +46 70 464 99 39 ------------------------ Public PGP fingerprint ---------------------------- < 15 28 DF 78 67 98 B2 16 1F D3 FD C5 59 D4 B6 78 46 1C EE 56 >