[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [cobalt-security] bindshell INFECTED PORTS 1524 31337
- Subject: RE: [cobalt-security] bindshell INFECTED PORTS 1524 31337
- From: "Curtis Ross" <Curtis_Ross@xxxxxx>
- Date: Wed, 19 Sep 2001 09:43:20 -0600
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
> -----Original Message-----
> From: putremos@xxxxxxxxxxxxxx@CPR
> Sent: Wednesday, September 19, 2001 5:35 AM
> To: cobalt-security@xxxxxxxxxxxxxxx
> Subject: [cobalt-security] bindshell INFECTED PORTS 1524 31337
>
>
> can anyone tell me what going on here, i'm kinda worried :(
>
> just ran the chkrootkit and it warns me:#
>
> Checking `bindshell'... INFECTED (PORTS: 1524 31337)
>
> I checked through Portsentry/Logcheck reports and came across:
>
> Sep 17 19:32:55 server portsentry[5423]: attackalert: Connect from
host: 62-36-148-15.dialup.uni2.es/62.36.148.15 to UDP port: 31337
> Sep 17 19:32:55 server portsentry[5423]: attackalert: Ignoring UDP
response per configuration file setting.
>
> I'm a bit stumped, how do I figure out if its a false alarm or whether
i have been comprimised (has anyone heard of exploits using those
ports). I guess its been ignored because 31337 is not in my list of
ports to monitor.
>
> Any feedback is much appreciated
>
> Paul Milne
> Digit Limited
>
Quote from the www.chkrootkit.org site:
I'm running PortSentry/klaxon. What's wrong with the bindshell test?
If you're running PortSentry/klaxon or another program that binds itself
to unused ports probably chkrootkit will give you a false positive on
the bindshell test (ports 114/tcp, 465/tcp, 511/tcp, 1008/tcp, 1524/tcp,
1999/tcp, 3879/tcp, 5665/tcp, 10008/tcp, 12321/tcp, 23132/tcp,
27374/tcp, 29364/tcp, 31336/tcp, 31337/tcp, 45454/tcp, 47017/tcp,
47889/tcp, 60001/tcp).
Curtis Ross