Mailinglist Archive: opensuse-security (320 mails)

< Previous Next >
Port 33270 and Trinity
  • From: Paul Kozlenko <pkozlenko@xxxxxxxxxx>
  • Date: Tue, 6 May 2003 22:55:55 -0400
  • Message-id: <200305062255.55372.pkozlenko@xxxxxxxxxx>
All:
I have SuSE 8.1 Profesional running on a machine that appears to have port
33270 open.

I found this as a result of running "saint".
Saint reports this to be a possible problem.

Description:
Trinity is a Distributed Denial of Service tool that is controlled by IRC.
In the version that the X-Force has been analyzing, the agent binary is
installed on a Linux system at /usr/lib/idle.so. When idle.so is started,
it connects to an Undernet IRC server on port 6667

What to do:
Scan all systems for port 33270 connections. If any connections are found,
telnet to that port and type "!@#". A system has been compromised if there
is a root shell present after a successful connection to port 33270

In doing the above from another SuSE linux machine I get:

#telnet linuxmachine 33270
Trying 172.20.1.99...
Connected to linuxmachine.
Escape character is '^]'.

and then typing the "!@#"

I get:
Connection closed by foreign host.

While this is good. I don't know what on my system is responding to this
port. An "lsof -i TCP:33270" returns nothing.

netstat -ea shows
tcp 0 0 *:33270 *:* LISTEN root 31464

Can anybody tell me if I should start to panic! Or what this could be.

Thanks
- Paul



< Previous Next >
Follow Ups