Re: [suse-security] server-check
Yup, if you look at the number 31337 it spells ELEET which should tell you straight away that you have been compromised.. -Nix At 11:52 PM 9/02/2001, you wrote:
There is an exploit usually called bindshell that listens on port 31337. Try a telnet yourmachine 31337 and see.
--- Bogdan Zapca System Administrator SC EcoSoft SA Internet Service Provider 1-7 Deva st, Cluj-Napoca, Romania Tel: +40 64 199696 PGP: http://www.itotal.ro/lupe@admin2.ecosoft.ro.pgp http://www.ecosoft.ro
On Fri, 9 Feb 2001, Andreas Frowein wrote:
hey list,
the last days i wanted to check my (older) suse-system with nmap. i am new to nmap and have got a question about the results, because local and remote are different:
used syntax: nmap -sF -v -v -v ...
local result (nmap V 2.02): Port State Protocol Service 21 open tcp ftp 22 open tcp ssh 25 open tcp smtp 53 open tcp domain 110 open tcp pop3
remote result (nmap V. 2.53, working on a trusted system): Port State Service 21/tcp open ftp 22/tcp open ssh 25/tcp open smtp 53/tcp open domain 80/tcp open http 110/tcp open pop-3 139/tcp open netbios-ssn 8080/tcp open http-proxy 31337/tcp open Elite
i surely know that there is NO netbios working and what about the port 31337/tcp ? back orifice is working on 31337/UDP and that just on window-boxes...but we are speaking of a linux-server. is this a problem of the "old" nmap version used for the local scan?
does anybody know? any help is appreciated. many thanks in advance,
regards,
andreas
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
--- Nix - nix@susesecurity.com http://www.susesecurity.com
Hi everyone, Running nmap localy I have seen I have two instances of Netbus on port 12345 and 12346 Which puts me in paranoid and port 31337 which someone mentinoed its an exploit of bind shell. 1) Do I have a trojan working behind or is it me who needs an aspirin 2) How trusty is running nmap locally if you have already been carrying Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ ) Host (xxx.xxx.xxx.xxx) appears to be up ... good. Initiating FIN,NULL, UDP, or Xmas stealth scan against (xxx.xxx.xxx.xxx) The UDP or stealth FIN/NULL/XMAS scan took 7 seconds to scan 1523 ports. Interesting ports on (xxx.xxx.xxx.xxx): (The 1507 ports scanned but not shown below are in state: closed) Port State Service 22/tcp open ssh 25/tcp open smtp 37/tcp open time 80/tcp open http 111/tcp open sunrpc 119/tcp open nntp 444/tcp open snpp 515/tcp open printer 888/tcp open accessbuilder 901/tcp open samba-swat 4557/tcp open fax 4559/tcp open hylafax 6000/tcp open X11 12345/tcp open NetBus 12346/tcp open NetBus 31337/tcp open Elite Nmap run completed -- 1 IP address (1 host up) scanned in 7 seconds -- Togan Muftuoglu
participants (3)
-
Gerard Bras
-
Nix
-
Togan Muftuoglu