Re: Strange service on Port 5656

From: H Carvey (keydet89@yahoo.com)
Date: 04/17/03

  • Next message: MACRIDES,NATHAN (HP-Australia,ex3): "RE: LC4 (L0phtCrack) error "Couldn't open SAM\Domains\Account\Use rs in SAM file. Possibly improper format."" 
    Date: 17 Apr 2003 14:08:37 -0000
From: H Carvey <keydet89@yahoo.com>
To: pen-test@securityfocus.com
    ('binary' encoding is not supported, stored as-is) In-Reply-To: <200304162335.02476.Leusent@link-net.org>

    Craig,

    >> When I enter something at this prompt the
    >> connection is closed immediately.
    >That response is clearly characteristic of rootkit
    backdoors.

    Can you elaborate? I'm more familiar w/ Windows
    systems, but given what little information has been
    provided, I'm wondering what it is that you're seeing
    that leads to this conclusion.

    >> Nessus detects this service as time server, can
    anyone confirm/ deny that?
    >I have never heard of a time daemon using this port
    for anything. If the
    >banner it yields resembles that of a time server, it
    may cause nessus to
    >report it as such. The fact that it does doesn't
    really prove anything, as it
    >is also a common tactic to make a rootkit yield a
    known banner in order to subvert suspicion.

    This statement leads me to ask my question again...how
    is it that you know, without more information, that
    this system has been compromised?
     
    I would have suggested further activities, such as
    running lsof or fuser on the system, to find the
    path/name of the executable image that's bound to that
    port.

    Thanks,

    Harlan

    ---------------------------------------------------------------------------
    Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
    world's premier event for IT and network security experts. The two-day
    Training features 6 hand-on courses on May 12-13 taught by professionals.
    The two-day Briefings on May 14-15 features 24 top speakers with no vendor
    sales pitches. Deadline for the best rates is April 25. Register today to
    ensure your place. http://www.securityfocus.com/BlackHat-pen-test
    ----------------------------------------------------------------------------

  • Next message: MACRIDES,NATHAN (HP-Australia,ex3): "RE: LC4 (L0phtCrack) error "Couldn't open SAM\Domains\Account\Use rs in SAM file. Possibly improper format.""
    • Quantcast