[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Have I been hacked?
- Subject: Re: [cobalt-security] Have I been hacked?
- From: Michael Stauber <cobalt@xxxxxxxxxxxxxx>
- Date: Wed, 9 Jan 2002 23:11:43 +0100
- Organization: Stauber Multimedia Design
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Hi Simon,
> I have run a portscan from outside the box now and these are the results.
> (Took me long enough...)
>
> xxx.xx.xx.xxx :13782 - bpcd -- open
> xxx.xx.xx.xxx :13722 - bpjava-msvc -- open
the above two are for Veritas.
> xxx.xx.xx.xxx :3306 - mysql -- open
MySQL, as it says.
> xxx.xx.xx.xxx :3001 - nessusd -- open
> xxx.xx.xx.xxx :3000 - hbci -- open
Chili!Soft ASP
> xxx.xx.xx.xxx :444 - snpp -- open
> xxx.xx.xx.xxx :81 - hosts2-ns -- open
> xxx.xx.xx.xxx :80 - http -- open
The above three are for HTTP and Admin interface.
> xxx.xx.xx.xxx :143 - imap -- open
> xxx.xx.xx.xxx :110 - pop-3 -- open
> xxx.xx.xx.xxx :25 - smtp -- open
Above three are for Email, as it says.
> xxx.xx.xx.xxx :53 - domain -- open
DNS
> xxx.xx.xx.xxx :21 - ftp -- open
FTP, as it says.
> xxx.xx.xx.xxx :52 - xns-time -- open
NOT (!!) normal. I'd inspect that one closer. Also, check if all of the above
other services are enabled in your Admin interface. For instance: If your
"Services" tab in the admin interface says, ASP is not activated, but you
have ports 3001 and 3000 open, then this mismatch should cause concerns.
Port 52 defenitely is suspicious. I wouldn't wonder if that's a hidden SSH
daemon or other method of entry for unfriendly visitors.
I do this stuff for a living and I could (free of charge) take an inside look
at your machine and let you know what I find.
--
With best regards,
Michael Stauber
mstauber@xxxxxxxxxxxxxx
Unix/Linux Support Engineer