25 Dec
2002
25 Dec
'02
13:31
Dirk Kutsche wrote:
Hi Sven,
Sven 'Darkman' Michels schrieb:
looks like a backdoor. Check if any port is open on your box who souldn't be there.
The standard security-check mailed me: * Changes (+: new entries, -: removed entries): + bi wwwrun TCP *:4000 (LISTEN) + bi wwwrun TCP *:443 (LISTEN) + bi wwwrun TCP *:80 (LISTEN)
It looks like a second process is listening at 443/80 -- because apache incl. ssl worked fine.
hum, thats bad ... is apache running on a specific ip?
I'm working on that -- I thought, maybe there are detailed informations out in the field about the type of backdoor and the way he got in.
hopefully, you also can mail me the bi binary, maybe i'll find something... regards, Sven