RE: [cobalt-security] Re: [cobalt-users] ssh on port 44658???

["Drage, Nicholas" <nickd@xxxxxxxxx>]

> -----Original Message-----
> From: Loryan Strant [mailto:cobalt-emails@xxxxxxxxxx]
> Sent: 17 April 2001 09:24

> I've found that "/usr/sbin/nscd" is the responsible program 
> for that port being open. I don't know what that program is,
> as it is not found on our backup RaQ4 server (which mind you
> has a lot less updates and programs installed).

nscd isn't on a RaQ3 I've just checked either.  Obviously the hacker has
chosen an innocuous name for the program rather than calling it
/usr/sbin/leet-ssh-shell, I'd kill the nscd program running and then remove
the program immediately.

With all due respect to the other users who've posted to these mailing lists
please do note:

Under *no* circumstances will nscd open a TCP port giving you access to a
shell prompt.  In fact I'm told in it's normal operation it will only open a
high numbered UDP port.  ( haven't really used nscd myself, IME it causes
more problems than it fixes ).

Under absolutely no circumstances ever, ever, ever will nscd behave as you
describe, you will not be able to telnet to it so it can reply giving a fair
imitation of an ssh daemon.

The behaviour you are seeing is a hacker backdoor, it is not the normal
operation of the software.

> I know that my server is now untrustworthy, but would it be a 
> good idea to rename/delete this file in the meantime?

Unfortunately your tasks are now: backup the box, re-install on to the
re-formatted disk, then use your backup *only* as a template on how to
configure your restored host.  Make sure you patch it up, use the backup to
see how the hackers got in if you have the time, and do all of this offline.

( Please note I only subscribe to cobalt-security, not cobalt-users )

-- 
Nick Drage - Security Architecture - Demon Internet - Thus PLC
As of Wed 18/04/2001 at  9:00 
This computer has been up for 17 days, 1 hour, 37 minutes, 32 seconds.