Re: Back Orifice - RedHat 7 [Update]
From: Mike (noone@foo.bar.com)Date: 06/27/02
- Next message: Reiner Griess: "NFS, how to make it secure (spoofing etc)"
- Previous message: Jupiter: "FreeSwan IPSec"
- In reply to: Neophyte: "Back Orifice - RedHat 7 [Update]"
- Next in thread: Neophyte: "Re: Back Orifice - RedHat 7 [Update]"
- Reply: Neophyte: "Re: Back Orifice - RedHat 7 [Update]"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: noone@foo.bar.com (Mike) Date: Thu, 27 Jun 2002 14:35:34 GMT
neophyte@news.snel.net (Neophyte) wrote in
<1025162183.346818@news.knoware.nl>:
>Hello Again,
>
>I once again installed RedHat 7X on another box to make sure that I
>wasn't delusional. The procedure I followed was to first install RedHat
>7.1 without X.What I did choose was the Networked Workstation and DialUp
>Workstation. I also went in and purged the installation of programs I
>didn't want and added a couple that I did. After installation, I ran
>nmap and it revealed nothing unusual (as far as I know), just: ssh,
>smtp....in other words, nothing more than I would expect. Afterwards, I
>installed other peripheral packages (all included with the RH
>distribution), including portsentry, hostsentry, sniffit, snort,
>aide...etc.
>
>I then proceeded to upgrade that installation to RH7.2 and telling it to
>upgrade the existing installation. I did go in and purge a lot of the
>programs from this installation as well, but the bloat is ever present
>in some regards (grrrr). In any event, I went with what was acceptable
>for now and proceeded with the upgrade. I once again ran portsentry
>against the tcp and udp protocols to which I received no alarm. I then
>ran nmap again, and "sure as shootin' " there it was:
>port 54320 -tcp open bo2k!!!
>
>Concomitant to this is the fact that after the upgrade to 7.2 nmap
>showed a lot of other ports that were open which I can only conclude,
>resulted from said upgrade. These include:
>1 - tcpmux
>587 - unknown
>1080 - socks
>6667 - irc
>12345/6 - NetBus
>31337 - elite
>32771/2/3/4 - sometimes-rpc5/7/9/11
>54320 - bo2k
>
>some of which I'd have never chosen to put on a box I'd use as a
>firewall unless I was totally out of my gord. Again, if this is all
>legitimate, I can accept it, but I can't understand why bo2k client or
>server would be included in this installation and secondly how such a
>barebones installation with RH 7.1 turns into this with 7.2.
>
>If anyone can enlighten me on this subject, I'd appreciate it, but until
>then, I'll just try another distribution. I'm willing to admit that
>maybe some of this has to do with my incomplete understanding of Linux
>(if such a state of complete understanding exists), but I do know a
>thing or two, and this strikes me as odd. So, before I go online with
>Linux, via the cable, I want to make sure that I'm using and have
>configured as secure a system as I'm capable of and I'm in no rush to do
>so.
>
>I hope I've been sufficiently informative. Your help is greatly
>appreciated.
>
>Gabriel
>
>P.S. I also ran netstat -aplt which also failed to display the bo2k
>entry, but did include all of the above stated and then some...go
>figure.
>
>
Ever tried to read Portsentry's documentation?
Portsentry is a host-based IDS (Intrusion Detection System), that LISTENS
on several ports, and logs access attempts.
RTFM please.
Cheers,
Mike
- Next message: Reiner Griess: "NFS, how to make it secure (spoofing etc)"
- Previous message: Jupiter: "FreeSwan IPSec"
- In reply to: Neophyte: "Back Orifice - RedHat 7 [Update]"
- Next in thread: Neophyte: "Re: Back Orifice - RedHat 7 [Update]"
- Reply: Neophyte: "Re: Back Orifice - RedHat 7 [Update]"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
