Re: Strange service on Port 5656

From: Craig Holmes (Leusent@link-net.org)
Date: 04/16/03

Next message: Neal K. Groothuis: "Re: Strange service on Port 5656"

Previous message: B F: "Strange service on Port 5656"
In reply to: B F: "Strange service on Port 5656"
Next in thread: Neal K. Groothuis: "Re: Strange service on Port 5656"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Craig Holmes <Leusent@link-net.org>
To: "B F" <zaphod_b71@hotmail.com>, pen-test@securityfocus.com
Date: Wed, 16 Apr 2003 23:35:02 +0300

On April 16, 2003 08:19 pm, B F wrote:
> When I enter something at this prompt the
> connection is closed immediately.
That response is clearly characteristic of rootkit backdoors.
> Nessus detects this service as time server, can anyone confirm/ deny that?
I have never heard of a time daemon using this port for anything. If the
banner it yields resembles that of a time server, it may cause nessus to
report it as such. The fact that it does doesn't really prove anything, as it
is also a common tactic to make a rootkit yield a known banner in order to
subvert suspicion.
> The host in question is a SuSE Linux System and
> has a vulnerable (OpenSSH 2.1.1) SSH daemon running,
> so maybe this service is part of a rootkit?
That is probably very likely. This device (system) is also most likely quite
old, and an attacker may have even exploited a different service to gain
access, then disabled it.

The system is clearly a security risk, and, in my opinion, most likely
compromised.

Craig Holmes

---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts. The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches. Deadline for the best rates is April 25. Register today to
ensure your place. http://www.securityfocus.com/BlackHat-pen-test
----------------------------------------------------------------------------

Next message: Neal K. Groothuis: "Re: Strange service on Port 5656"

Previous message: B F: "Strange service on Port 5656"
In reply to: B F: "Strange service on Port 5656"
Next in thread: Neal K. Groothuis: "Re: Strange service on Port 5656"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]