[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] Re: [cobalt-users] ssh on port 44658???
- Subject: RE: [cobalt-security] Re: [cobalt-users] ssh on port 44658???
- From: Rob Kennedy <rob@xxxxxxxxx>
- Date: Tue, 17 Apr 2001 14:44:19 -0400 (EDT)
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Yeah, looks like it could be a bad thing.. nscd is /supposed/ to be a
utility that does nameserver caching.. not supposed to launch sshd out on
a port.. heh. I found a link that might be helpful though.. found on
some mailinglist out there..
http://boudicca.tux.org/mhonarc/ma-linux/2001-Feb/msg00746.html
Hope this helps.. send a note to intrusion@xxxxxxxx as well so they can
document it..
Rob
- --
Rob Kennedy
ASPRE, Inc.
rob@xxxxxxxxx
http://www.aspre.net/
Managed e-Business that works
- ---------------------------------
the first exclusive e-Business Application Service Provider (ASP)
t. 215.957.2266 Ext. 2145
f. 215.957.2277
113 Rock Road
Horsham, PA 19044
On Tue, 17 Apr 2001, Loryan Strant wrote:
> I've found that "/usr/sbin/nscd" is the responsible program for that port
> being open. I don't know what that program is, as it is not found on our
> backup RaQ4 server (which mind you has a lot less updates and programs
> installed).
> I know that my server is now untrustworthy, but would it be a good idea to
> rename/delete this file in the meantime?
>
> Thanks,
>
> Loryan
>
> -----Original Message-----
> From: cobalt-security-admin@xxxxxxxxxxxxxxx
> [mailto:cobalt-security-admin@xxxxxxxxxxxxxxx]On Behalf Of Rob Kennedy
> Sent: Tuesday, 17 April 2001 3:30 AM
> To: cobalt-users@xxxxxxxxxxxxxxx
> Cc: cobalt-security@xxxxxxxxxxxxxxx
> Subject: [cobalt-security] Re: [cobalt-users] ssh on port 44658???
>
>
> Go grab a copy of lsof and grep for LISTEN, or run netstat -anp |grep
> LISTEN and see what is actually running, then take a look through your
> inetd.conf of /etc/services to see if it was set up in there.. do a ps
> auxw to see what user started it.. find the file that starts it, and see
> when it was installed.. do a last -a to see who was logged in at the time
> and from where.. etc.. things i would do..
>
> Rob
>
> --
> Rob Kennedy
> ASPRE, Inc.
> rkennedy@xxxxxxxxx
> http://www.aspre.net/
>
> Managed e-Business that works
> ---------------------------------
> the first exclusive e-Business Application Service Provider (ASP)
>
> t. 215.957.2266 Ext. 2145
> f. 215.957.2277
>
> 113 Rock Road
> Horsham, PA 19044
>
> On Mon, 16 Apr 2001, Loryan Strant wrote:
>
> > Hi,
> >
> > While doing a routine portscan of my RaQ4, I noticed that port 44658 is
> > running SSH 1.5-1.2.27.
> >
> > I know for a fact that I didn't set that up, as I'm running OpenSSH 2.1.1
> on
> > a completely different port.
> >
> > Does anyone have any ideas as to what this is?
> >
> > Thanks,
> >
> > Loryan
> >
> > _______________________________________________
> > cobalt-users mailing list
> > cobalt-users@xxxxxxxxxxxxxxx
> > To Subscribe or Unsubscribe, please go to:
> > http://list.cobalt.com/mailman/listinfo/cobalt-users
> >
>
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security
> ------------ Output from gpg ------------
> gpg: Signature made Mon 16 Apr 2001 01:30:12 PM EDT using DSA key ID FE70284B
> gpg: BAD signature from "Rob Kennedy <rkennedy@xxxxxxxxx>"
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE63I8HgExIAP5wKEsRAkIbAKCfZFPSdMSNb4keF7SgkvX7v0/UXwCggFZN
rUurOyamEVGA8weUrQ1yIJ0=
=WXBm
-----END PGP SIGNATURE-----