Re: [fw-wiz] FW: OT? New compromise.

If you suspect you have a rootkit, it shouldn't be that hard to find it,
depending on whether you can shut down any of these boxes and run Knoppix
& Tripwire or something similar. Even better if you can take the disks out
and check it on a clean box.

You may need to boot/take out the disk a few times to see what's changed
during consecutive boots and verify the checksums of common files against
good sources.

Pretty much any rootkit has to "bootstrap" itself from some kind of
executable, device driver, daemon, etc. Once bootstrapped, it would
normally hide itself, that's why is hard to find something not generally
known on a infected box.

One very quick test I would have done is to install and try to run MS
messenger on a Windows box, if it complains that can't bind to 1863 then
you possibly have something bad, haven't seen anything else running on
that port except it.

Victor Williams <vbwilliams@xxxxxxxxxx> wrote:

Port 1863 is the port for Microsoft's Instant Messenger client
communications. 1720 is default for later versions
these two pieces of functionality are integrated together.

It could appear to exist on Linux boxes because of any of a number of
Instant Messenger clients that come by default. I know GAIM and Kopete
are included by default with Fedora 4 and later and work with all the
major IM networks (MSN, Yahoo, ICQ, AIM).

The problem is, comments like "We've been finding it a lot when looking
at customers with spammy viruses.", "It's invisible on the local
machine" (Gaim certainly wouldn't be hiding from ps or netstat), "I
have several security sources and none of them have been able to
identify it", the ability to see it when nmap'ing from an external
host, but not from localhost, etc.

All of this struck me as exceedingly odd.

In MS systems, MSN IM client starts itself automatically unless you
specifically tell it not to. Likewise, even if you tell it not to,
loading MS Office 2003 or later will re-set it so that it starts
automatically again.

MS systems do a lot of things their users would prefer they not.

Note: My mail server employs *very* aggressive anti-spam
filtering. If you reply to this email and your email is
rejected, please accept my apologies and let me know via my
web form at <>.
firewall-wizards mailing list

firewall-wizards mailing list