Re: Strange service on Port 5656

From: Neal K. Groothuis (ngroot-securityfocus@lo-cal.org)
Date: 04/17/03

  • Next message: Thierry Bole: "Re: TR: Strange service on Port 5656" 
    Date: Wed, 16 Apr 2003 17:20:37 -0500
From: "Neal K. Groothuis" <ngroot-securityfocus@lo-cal.org>
To: B F <pen-test@securityfocus.com>

    I suspect that Nessus detected this as "time server" because
    it returned a 32-bit value and then closed the connection, which
    is what standard time service does (see RFC 868 / STD 26.)
    However, even if we assume that the eighth bit of each of those
    bytes was zeroed by telnet to get printable characters, the
    maximum value that that could be is a2acada1 (decimal 2,729,225,633,)
    and the approximate number of seconds from midnight Jan 1 1900 by
    my calculations is 3,256,092,000 (103.25 * 365 * 24 *60 * 60),
    and that's a pretty big discrepancy. Plus, as was already pointed
    out, that's a non-standard port for timeservice. The owners of
    that box should definitely see what process is listening on that port!

                                                    - neal

    On Wed, Apr 16, 2003 at 07:19:26PM +0200, B F wrote:
    > while conducting one of those tests this list was made
    > for, I stumbled over a TCP Service on Port 5656. If I
    > netcat on this port the following "banner" is displayed:
    > ",!-
    >
    > When I enter something at this prompt the
    > connection is closed immediately. Nessus detects this
    > service as time server, can anyone confirm/ deny that?
    > If this is no time server did someone see this banner
    > before? The host in question is a SuSE Linux System and
    > has a vulnerable (OpenSSH 2.1.1) SSH daemon running,
    > so maybe this service is part of a rootkit? 

    -- 
A faith; this is a necessity for man. Woe to him who believes nothing.
 						--Victor Hugo
						  Les Miserables
PGP key available upon request or at http://www.imsa.edu/~ngroot/

  • Next message: Thierry Bole: "Re: TR: Strange service on Port 5656"

    Relevant Pages

    • Re: automatic internet time syncronization
      ... "Chuck" wrote in message ... >>automatic internet time syncronization on my win-xp pro used to work very ... >>well using a modem connection over the phone line. ... > stable and symmetrical path between the time server and the client ...
      (microsoft.public.windowsxp.network_web)
    • Re: Cant get Correct Time in Fedora 8
      ... Fedora 8 won't keep correct time. ... "Unable to connect to time server", it doesn' make any difference what ... invalid host address, ignored ... from another connection? ...
      (Fedora)
    • Re: OT: Re: Computer loosing time
      ... that can only work with a permanent internet connection. ... NTP does not require a permanent connection to work. ... case for a time reference is the local clock which is the clock you are ... no time server available by the network case. ...
      (Ubuntu)
    • Re: Cant sync to Internet Time, really weird error message
      ... The firewall on the xp machine is turned off. ... with establishing an initial connection. ... time server on the internal network. ...
      (microsoft.public.windowsxp.newusers)
    • Re: problem with ntp in a DMZ
      ... nslookup on the time server I use, ... off ntp and use the ntpdate command, it fails on the server in the DMZ ... This is almost always a firewall problem with source port 123 for the ...
      (RedHat)
    Loading