Re: Port Scan Question (kinda urgent)

From: Muhammad Faisal Rauf Danka (mfrd@attitudex.com)
Date: 05/03/02


Date: Fri, 3 May 2002 12:59:13 -0700 (PDT)
From: Muhammad Faisal Rauf Danka <mfrd@attitudex.com>
To: security-discuss@linuxsecurity.com


Phew! , I can imagine the state you would probably be in, but you're at the right place.
Anyway, First of all, there could be two reasons for those ports to be seen (filtered),

First: the external host from which you are scanning either the host itself could be filtering those outgoing connections or the router or gateway of that external machine could be filtering outgoing ports which are seen in your scan as filtered.

Secondly: May be you're firewall is not sending REJECT message on those ports and instead sending DENY or DROP. So that's why your box is not saying that (HELLO You are not Allowed on this port) so supposingly nmap thinks that those ports are being filtered.

As far as the chkrootkit problem is concerned, why don't you just install RH7.0 on a fresh different PC and then make md5sum of all the critical files which are in /bin and /sbin and then compare those signatures with the box you're suspicious that is cracked. (make sure you make a copy of (supposingly compromised box) first.

Also do another method which i commonly do is that, I keep clean copies of binaries which are most commonly trojanned such as:

netstat
ls
ps
lsof ( I just saw one rootkit with lsof binary so far)
pstree ( // )
/bin/login
finger
who

and whenever I feel a bit paranoid (which is mosly do) , I just slip out my floppy of those binaries and compare output of the existing system binaries with the output of my fresh/clean binaries in write protected disk.

Anyways Goodluck.

Regards,
---------
Muhammad Faisal Rauf Danka

Chief Technology Officer
Gem Internet Services (Pvt) Ltd.
web: www.gem.net.pk
voice: 92-021-111-GEMNET

Chief Security Analyst
Applied Technology Research Center (ATRC)
web: www.atrc.net.pk
voice: 92-21-4980523 92-21-4974781

"Great is the Art of beginning, but Greater is the Art of ending. "

------BEGIN GEEK CODE BLOCK----
Version: 3.1
GCS/CM/P/TW d- s: !a C++ B@ L$ S$ U+++
P+ L+++ E--- W+ N+ o+ K- w-- O- PS PE- Y-
PGP+ t+ X R tv+ b++ DI+ D G e++ h! r+ y+
------END GEEK CODE BLOCK------

--- David Correa <tech@linux-tech.com> wrote:
>
>Hi,
>
>I need some advice.
>
>I am working on a friend "firewall" is an RH7.0
>he had it running with ipchains. I upgraded the kernel
>to 2.4.18 and now has iptables. The problem is
>that when I scan locally i see only ssh open:
>
>Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
>Interesting ports on localhost (127.0.0.1):
>(The 1522 ports scanned but not shown below are in state: closed)
>Port State Service
>22/tcp open ssh
>
>Nmap run completed -- 1 IP address (1 host up) scanned in 0 seconds
>
>But when I scan from a remote computer i see this:
>
>Starting nmap V. 2.53 by fyodor@insecure.org ( www.insecure.org/nmap/ )
>Interesting ports on x.x.x.x (x.x.x.x):
>(The 1517 ports scanned but not shown below are in state: closed)
>Port State Service
>22/tcp open ssh
>137/tcp filtered netbios-ns
>138/tcp filtered netbios-dgm
>139/tcp filtered netbios-ssn
>1080/tcp filtered socks
>8888/tcp filtered sun-answerbook
>
>Nmap run completed -- 1 IP address (1 host up) scanned in 12 seconds
>
>samba is not running there. netstat does not show
>any unusual connection's. the computer does not have lsof installed.
>
>if i do a ps ax i dont see a socks process either.
>
>The worst part was that I tried to use a program i found
>called chkrootkit-0.35, that did not find anything until the computer
>hung up at "Searching for suspicious files and dirs, it may take a
>while..."
>
>Now if I do a ps it never never completes, i never get
>the root # back. The program stooped when it got to
>Searching for suspicious files and dirs, it may take a while...
>Now the computer does not even respond when i send a reboot
>command.
>
>I tried this chkrootkit-0.35 on other computers and it never did that.
>
>The guy does not have tripwire or anything like that.
>
>My guess is that this computer was rooted before i got to it.
>
>Any feed back is welcomed
>
>David Correa
>Public Key http://www.linux-tech.com/linuxtech.asc
>Key fingerprint 7F2C E072 479D 71B4 008B 373E A284 8CDE 7659 F5D8
>
>
>
>
>------------------------------------------------------------------------
> To unsubscribe email security-discuss-request@linuxsecurity.com
> with "unsubscribe" in the subject of the message.

_____________________________________________________________
---------------------------
[ATTITUDEX.COM]
http://www.attitudex.com/
---------------------------

_____________________________________________________________
Promote your group and strengthen ties to your members with email@yourgroup.org by Everyone.net http://www.everyone.net/?btn=tag
------------------------------------------------------------------------
     To unsubscribe email security-discuss-request@linuxsecurity.com
         with "unsubscribe" in the subject of the message.