Re: TCP 6006 and echo (port 7) Mandrake (possible new trojan?)

From: Joshua Kuo (kuom@hawaii.edu)
Date: 12/09/02

• Next message: Timothy Murphy: "Re: (Q) rdate or ntpdate ?"
• Previous message: Cynthia Blue: "Ports Closed"
• In reply to: Wojtek Walczak: "Re: TCP 6006 and echo (port 7) Mandrake (possible new trojan?)"
• Next in thread: Wojtek Walczak: "Re: TCP 6006 and echo (port 7) Mandrake (possible new trojan?)"
• Reply: Wojtek Walczak: "Re: TCP 6006 and echo (port 7) Mandrake (possible new trojan?)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: Joshua Kuo <kuom@hawaii.edu>
Date: Mon, 09 Dec 2002 13:51:17 -0800

this is weird. i used netstat -altpu and found that port 6006 is
listening.

listerally one minute later, i am doing it again to show it to my
co-worker, and it didn't come up this time. and it hasn't been so far
(been 40 minutes).

so does that mean someone is now logged on to my box? when i nmap myself
6006 is still open.

On Mon, 09 Dec 2002 08:56:25 -0800, Wojtek Walczak wrote:

> Dnia Sun, 08 Dec 2002 13:58:49 -0800, Joshua Kuo napisał(a):
>># telnet localhost 6006
>> Trying 127.0.0.1...
>> Connected to localhost.
>> Escape character is '^]'.
>> SSH-1.5-OpenSSH-2.9.2
>
> type
>
> netstat -tupan
>
> get a PID of that process, then do
>
> ls -l /proc/PID/exe
>
> and you'll find location of that server's binary. Are you that person,
> who placed sshd binary in place you'll find out?

---

• Next message: Timothy Murphy: "Re: (Q) rdate or ntpdate ?"
• Previous message: Cynthia Blue: "Ports Closed"
• In reply to: Wojtek Walczak: "Re: TCP 6006 and echo (port 7) Mandrake (possible new trojan?)"
• Next in thread: Wojtek Walczak: "Re: TCP 6006 and echo (port 7) Mandrake (possible new trojan?)"
• Reply: Wojtek Walczak: "Re: TCP 6006 and echo (port 7) Mandrake (possible new trojan?)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Netstat results - problem? ... listening corresponding to a port. ... Luca Vix Visconti wrote: ... >> Have I a trojan or does this look like normal netstat logs? ... (comp.security.misc) Re: Cant connect to Terminal Services following upgrade of Win 2003 to service pack 1 ... Is the server listening on port 3389? ... - an" at a command prompt. ... I've done a netstat -an and it says that port 3389 is ... (microsoft.public.windows.terminal_services) Re: Tomcat Doesnt Seem To Start In Fedora 8 ... The result of netstat is ... If I understand the above correctly, something is indeed listening on port 8080...but what? ... I also grepped on '80' to list processes running on any 80xx port. ... (Fedora) Re: sshd blocking ftp data port 20? ... something listening that looks like sshd. ... If you want to see which process is using the port try ... > The sshd configuration file points to port 22 as is normal. ... > strange is the netstat output where there is no indication of ports 20 ... (comp.security.ssh) RE: Terminal Server session creation failed ... I did a netstat -an but there is no port 3389 listed. ... > If you bring up the tsadmin utility, is the RDP-tcp listener in the ... > listening state, rather than being 'down' or similar state? ... (microsoft.public.windows.terminal_services)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(17)