Re: process identification

From: Ivan Coric (ivan.coric_at_workcoverqld.com.au)
Date: 05/04/04

  • Next message: tod: "Re: User Passwords and security risks" 
    Date: Tue, 04 May 2004 10:24:06 +1000
To: <stdweird@carl.ugent.be>, <security-basics@securityfocus.com>

    Hi Stijn,
    sounds like the netstat binary has been replaced and possible others, by way of a rootkit.

    Try to install lsof (Lists files open by processes), then run #lsof -i
    http://www.mandrakelinux.com/en/9.1/features/15.php3

    Cheers
    Ivan

    Ivan Coric, CISSP
    IT Technical Security Officer
    Information Technology
    WorkCover Queensland
    Ph: (07) 30066414 Fax: (07) 30066424
    Email: ivan.coric@workcoverqld.com.au

    >>> Stijn De Weirdt <stdweird@carl.ugent.be> 05/03/04 11:49pm >>>
    hello,

    i have a computer that has been (succesfully :( ) attacked, and i'm
    currently checking how 'they' did it. the computer has an open port with a listening ftp-server, but there is no matching PID with netstat. so here's the question: how do i get the process-id?

    some data:
    the computer is running some old mandrake version (9.0, kern 2.4.19-16mdk)

    'netstat -vapt' output:
    Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
    tcp 0 0 xxx.xxx.xxx:81 *:* LISTEN
    -

    (denote the last -)

     nmap -p 81 (from another machine) gives
    Port State Service
    81/tcp filtered hosts2-ns

    but telnet from the same machine gives (partly)
    220 xxx.xxx.xxx FTP server (Version 1.8 - 2002/01/14 20:09:00) ready.

    the ftp-server seems very highly modified, meaning that
    1. there isn't supposed to run one on that computer (but there is one
    installed)
    2. doesn't recognise any commands like cd, ls, get,put, login...

    currently port 81 is being DROP/LOG via iptables, and i'm reinstalling it in a few days, but any advice on how to look for the server process is
    handy. i have root access to the machine, so that's no problem.

    many thanks
    stijn

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------

    ***************************************************************************
    Messages included in this e-mail and any of its attachments are those
    of the author unless specifically stated to represent WorkCover Queensland. The contents of this message are to be used for the intended purpose only and are to be kept confidential at all times.
    This message may contain privileged information directed only to the intended addressee/s. Accidental receipt of this information should be deleted promptly and the sender notified.
    This e-mail has been scanned by Sophos for known viruses.
    However, no warranty nor liability is implied in this respect.
    **********************************************************************

    ---------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    ----------------------------------------------------------------------------

  • Next message: tod: "Re: User Passwords and security risks"

    Relevant Pages

    • RE: Minimum password requirements
      ... say it risks decreasing security rather than improving it. ... > Ethical Hacking at the InfoSec Institute. ... to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of in-the-field ...
      (Security-Basics)
    • RE: ISA Server Crash
      ... Asunto: RE: ISA Server Crash ... Astaro Security Linux, the comprehensive security solution that combines six ... to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of in-the-field ...
      (Security-Basics)
    • RE: Minimum password requirements
      ... I'd say it risks decreasing security rather than ... >> Ethical Hacking at the InfoSec Institute. ... to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of in-the-field ...
      (Security-Basics)
    • RE: Wireless LAN Security for Warehouse
      ... Security Consultant ... Wireless LAN Security for Warehouse ... to facilitate one-on-one interaction with one of our expert instructors. ... Attend a course taught by an expert instructor with years of in-the-field ...
      (Security-Basics)
    • RE: fax software in the domain
      ... You could add an extra layer of security by changing by connecting the ... Ethical Hacking at the InfoSec Institute. ... Attend a course taught by an expert instructor with years of ...
      (Security-Basics)