Re: Port UDP 3049
From: Thomas Akin (takin@kennesaw.edu)Date: 03/14/02
- Previous message: James McGee: "RE: RemoteNC backdoors, attacks via ports 1433, 524, 139, 445, 21, destroyed files"
- Maybe in reply to: Ryan Russell: "Port UDP 3049"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 14 Mar 2002 05:58:54 -0000 From: Thomas Akin <takin@kennesaw.edu> To: incidents@securityfocus.com('binary' encoding is not supported, stored as-is)
In-Reply-To: <Pine.LNX.4.43.0203110937340.11382-100000@mail.securityfocus.com>
I recently had an unpatched redhat 7.2 machine
hacked. I discovered a UDP port 3049 listening
process... The process binary was ./v
After the compromise I recorded most of the volatile
info and finding a binary 'v' in "/dev/.. " (three
spaces) and assumed it was the ./v listening to 3049.
Mistake. The ./v in the "/dev/.. " directory was the
Vanish II program. Now I have to analyze the
unallocated inodes to find the ./v program listening to
port 3049. Biggest problem now is time. They keep
me busy around here....
Will post the findings as time permits....
Thomas Akin
--
Thomas Akin, CISSP
Director, Southeast Cybercrime Institute
takin@kennesaw.edu
www.cybercrime.kennesaw.edu
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
- Previous message: James McGee: "RE: RemoteNC backdoors, attacks via ports 1433, 524, 139, 445, 21, destroyed files"
- Maybe in reply to: Ryan Russell: "Port UDP 3049"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
