[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Re: [cobalt-users] ssh on port 44658???

Subject: Re: [cobalt-security] Re: [cobalt-users] ssh on port 44658???
From: Bill Irwin <bill_irwin@xxxxxxxx>
Date: Tue, 17 Apr 2001 17:06:10 -0400
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Rob,

The problem with this approach is too many times I've seen a root job that
install's a rootkit which consists of trojaned versions
of netstat, login, ps, etc. If you have been compromised, none of these things
will show anything out of the ordinary (as the
hacker has intended). Its best to look elsewhere.


Rob Kennedy wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Go grab a copy of lsof and grep for LISTEN, or run netstat -anp |grep
> LISTEN and see what is actually running, then take a look through your
> inetd.conf of /etc/services to see if it was set up in there..  do a ps
> auxw to see what user started it.. find the file that starts it, and see
> when it was installed.. do a last -a to see who was logged in at the time
> and from where.. etc..  things i would do..
>
> Rob
>
> - --
> Rob Kennedy
> ASPRE, Inc.
> rkennedy@xxxxxxxxx
> http://www.aspre.net/
>
> Managed e-Business that works
> - ---------------------------------
> the first exclusive e-Business Application Service Provider (ASP)
>
> t. 215.957.2266 Ext. 2145
> f. 215.957.2277
>
> 113 Rock Road
> Horsham, PA 19044
>
> On Mon, 16 Apr 2001, Loryan Strant wrote:
>
> > Hi,
> >
> > While doing a routine portscan of my RaQ4, I noticed that port 44658 is
> > running SSH 1.5-1.2.27.
> >
> > I know for a fact that I didn't set that up, as I'm running OpenSSH 2.1.1 on
> > a completely different port.
> >
> > Does anyone have any ideas as to what this is?
> >
> > Thanks,
> >
> > Loryan
> >
> > _______________________________________________
> > cobalt-users mailing list
> > cobalt-users@xxxxxxxxxxxxxxx
> > To Subscribe or Unsubscribe, please go to:
> > http://list.cobalt.com/mailman/listinfo/cobalt-users
> >
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.4 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE62ywkgExIAP5wKEsRAnzGAJ9/tYjyOfF+J89ZOacHOYrztBfNHACfbpcC
> WFqnbSE2d/Fd/gc4UJd7Y38=
> =VZgc
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security

--
Bill Irwin
Technical Support Engineer
Sun Microsystems, Inc.

References:
- [cobalt-security] Re: [cobalt-users] ssh on port 44658???
  - From: Rob Kennedy

Prev by Date: Re: [cobalt-security] [cobalt-users] ssh on port 44658???
Next by Date: RE: [cobalt-security] Re: [cobalt-users] ssh on port 44658???
Previous by thread: RE: [cobalt-security] Re: [cobalt-users] ssh on port 44658???
Next by thread: Re: [cobalt-security] [cobalt-users] ssh on port 44658???

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index