Re: Unknown service on port 21 and 143 detected via nessus - Next steps?
From: cb (cb_at_eudormail.com)
Date: 06/09/04
- Next message: Randy Lawrence: "Re: Unknown service on port 21 and 143 detected via nessus - Next steps?"
- Previous message: P.T. Breuer: "Re: How to permit selective SSH access?"
- In reply to: Randy Lawrence: "Re: Unknown service on port 21 and 143 detected via nessus - Next steps?"
- Next in thread: Randy Lawrence: "Re: Unknown service on port 21 and 143 detected via nessus - Next steps?"
- Reply: Randy Lawrence: "Re: Unknown service on port 21 and 143 detected via nessus - Next steps?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 09 Jun 2004 17:41:44 GMT
Randy Lawrence wrote:
> Randy Ramsdell wrote:
>
>>
>>
>> Randy Lawrence wrote:
>>
>>> We ran Nessus on our hosted remote server and found ports 21 and 143
>>> running an unknown service. We don't have ftpd or imapd running (or
>>> even installed) and there's no entry in /etc/xinetd.d/.
>>>
>>> Running chkrootkit on the server (from hd unfortunately since it is
>>> remote) and found nothing.
>>>
>>> Any ideas on next steps we should take?
>>>
>>> Server is running RedHat AS3 inside Virtuozzo VPS.
>>
>>
>>
>> Is it UDP or TCP?
>>
>> Things to try:
>>
>>
>> 1. Telnet to the ports .
>> 2. Compare lsof and netstat output. (Netstat is a frequent
>> trojaned binary but not sure if lsof is used by all
>> rootkits.
>> 3.Run Nmap from known good box.
>> 4. Check the previous thread here about "Mysteriously hacked" for
>> other suggestions.
>>
>
> I ran Nessus from a known good workstation which detected port 21 as
> open on the server and noted that it was running an unknown service.
>
> Netstat (with "-aln", "-tln", etc.) on the server does not bring up
> anything on port 21.
>
> Whether or not I activate the following iptables rules, the FTP
> connection still responds as open (although the delay between the
> connected message and service not available message is longer when these
> rules are active):
>
> /sbin/iptables -A INPUT -p tcp -i venet0 --dport 21 -j DROP
> /sbin/iptables -A INPUT -p udp -i venet0 --dport 21 -j DROP
>
> When I try to FTP from a different machine to the server I get (again,
> even with those iptables rules active):
>
> $ ftp 123.123.123.123
> Connected to 123.123.123.123.
> 421 Service not available, remote server has closed connection
> ftp>
>
> I'm not using a proxy server on the testing client workstation when
> trying to connect to or portscan our server.
>
> The ISP looked into it and tells me their firewall must be accepting the
> FTP connection since trying to connect to localhost immediately fails on
> the server. I'm wondering if they're actually right or simply trying to
> close the issue. How do I find out?
>
Not sure, but to totally firewall ftp do you need to account for port 20
with an additional rule?
- Next message: Randy Lawrence: "Re: Unknown service on port 21 and 143 detected via nessus - Next steps?"
- Previous message: P.T. Breuer: "Re: How to permit selective SSH access?"
- In reply to: Randy Lawrence: "Re: Unknown service on port 21 and 143 detected via nessus - Next steps?"
- Next in thread: Randy Lawrence: "Re: Unknown service on port 21 and 143 detected via nessus - Next steps?"
- Reply: Randy Lawrence: "Re: Unknown service on port 21 and 143 detected via nessus - Next steps?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
