Re: [fw-wiz] FW: OT? New compromise.

If you suspect you have a rootkit, it shouldn't be that hard to find it,
depending on whether you can shut down any of these boxes and run Knoppix
& Tripwire or something similar. Even better if you can take the disks out
and check it on a clean box.

You may need to boot/take out the disk a few times to see what's changed
during consecutive boots and verify the checksums of common files against
good sources.

Pretty much any rootkit has to "bootstrap" itself from some kind of
executable, device driver, daemon, etc. Once bootstrapped, it would
normally hide itself, that's why is hard to find something not generally
known on a infected box.

One very quick test I would have done is to install and try to run MS
messenger on a Windows box, if it complains that can't bind to 1863 then
you possibly have something bad, haven't seen anything else running on
that port except it.

Victor Williams <vbwilliams@xxxxxxxxxx> wrote:

Port 1863 is the port for Microsoft's Instant Messenger client
communications. 1720 is default for later versions
these two pieces of functionality are integrated together.

It could appear to exist on Linux boxes because of any of a number of
Instant Messenger clients that come by default. I know GAIM and Kopete
are included by default with Fedora 4 and later and work with all the
major IM networks (MSN, Yahoo, ICQ, AIM).

The problem is, comments like "We've been finding it a lot when looking
at customers with spammy viruses.", "It's invisible on the local
machine" (Gaim certainly wouldn't be hiding from ps or netstat), "I
have several security sources and none of them have been able to
identify it", the ability to see it when nmap'ing from an external
host, but not from localhost, etc.

All of this struck me as exceedingly odd.

In MS systems, MSN IM client starts itself automatically unless you
specifically tell it not to. Likewise, even if you tell it not to,
loading MS Office 2003 or later will re-set it so that it starts
automatically again.

MS systems do a lot of things their users would prefer they not.

Note: My mail server employs *very* aggressive anti-spam
filtering. If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <>.
firewall-wizards mailing list

firewall-wizards mailing list

Relevant Pages

  • Re: Port scan causing system crashes
    ... Well, I have such problems last year as well, on old Sun boxes. ... same result than a port scan Dos. ... Port scan causing system crashes ...
  • RE: Port scan causing system crashes
    ... In the thousand or so boxes I've scanned over the last year I've ... had three crash. ... Port scan causing system crashes ... port scans (or any other port scanner) causing systems to crash? ...
  • RE: [Full-Disclosure] Automated SSH login attempts?
    ... hopefully you don't have the test user on your ssh server anymore. ... You just gave the IP address, port and username =) ... One of the boxes at work actually got rooted through a successful ...
  • RE: root_drv.sys rootkit
    ... you should also run a port scan against this machine ... Subject: root_drv.sys rootkit ... I have a Windows 2003 Web Edition Server that has been compromised due ... The question is that now this server have a rootkit installed. ...
  • Re: [Full-Disclosure] Removing ShKit Root Kit
    ... >"Searching for ShKit rootkit default files and dirs... ... ethernet port and run netstat -tupan on the server. ... server level security. ...