Re: Strange Behaviour !

From: Naseer Bhatti (naseer@fibre.net.pk)
Date: 10/26/01 

Message-ID: <011401c15e4c$2fd072c0$a53487cb@j9h6c3>
From: "Naseer Bhatti" <naseer@fibre.net.pk>
To: "dewt" <dewt@kc.rr.com>, "Incidents" <incidents@securityfocus.com>, "Jose Nazario" <jose@biocserver.BIOC.cwru.edu>, "Peter Timothey Hessler" <phessler@paychex.com>, "Joshua Wright" <Joshua.Wright@jwu.edu>
Subject: Re: Strange Behaviour !
Date: Fri, 26 Oct 2001 23:29:29 +0500

Despite all the debate, This is for sure that the system is being
comrpomised by some sort of rootkit, but this is not the point here to prove
that the system is compromised with a rootkit or not. What I am trying to do
is that to see and gather the information about the binaries replaced on the
system and try to avoind all such things in the future.

This might be helpfull for maybe others in case the same guy tries to
./h4x0r some other box. rpc.statd and linuxconf web access is stopped as the
init scripts.

I see a file in /dev/data/scaner with attrivutes, crwx--x--x This c
attribute makes is suspicious. This is not a regular /dev entry and it is
also 0 byte file. So can't view it or see it with strings. The rest of the
thing is that I get a new copy of all the netstat, lsof and other similar
tools and get a close look of the binaries. The purpose of posting this here
was just to save time from examining all the files.

Thats all ..

Naseer

----- Original Message -----
From: "dewt" <dewt@kc.rr.com>
To: "Naseer Bhatti" <naseer@fibre.net.pk>; "Incidents"
<incidents@securityfocus.com>
Sent: Friday, October 26, 2001 11:13 PM
Subject: Re: Strange Behaviour !

> On Friday 26 October 2001 12:47 pm, Naseer Bhatti wrote:
> > [...]
> > and finaly I am posting this to Incodents
> > [...]
> >
> > Hi, I am administrating a Linux box running RedHat 7.1 with 2.4.2-2
kernel.
> > Infact it's my fiend's box..anyway.. I noticed strange behaviour on the
> > system. First of all strange ports are opened and the system is also on
> > some sort of Firewall. Let me explain in detail.
> >
> > My Observations ...
> >
> > Active Internet connections (servers and established)
> > Proto Recv-Q Send-Q Local Address Foreign Address
State
> > tcp 0 0 0.0.0.0:32768 0.0.0.0:* LISTEN
> > tcp 0 0 0.0.0.0:98 0.0.0.0:*
LISTEN
> >
> > [...]
> >
> > like this is the output of netstat -an. I see here port 32768 listening
oon
> > but can't find any data when telnet 0 32768. This port seems to be
> > something like
> >
> the one on port 32768 is rpc.statd (to stop it from running do
> /etc/rc.d/init.d/nfslock stop) and is normal to be there, the second is
the
> linuxconf web port which will only be on if you have that turned on (to
stop
> it do /etc/rc.d/init.d/linuxconf stop) that will only stop it temporarily,
to
> stop it permanetly run ntsysv and deselect them from the list (use space
to
> do that)
>
>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com