Re: Comprimised Linux server!




"Tom" <tlarmon@xxxxxxxxx> wrote in message
news:1142905255.272330.88140@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I'll keep this anonymous, but check these out (note telnet):

[code]
[root@server cgi-bin]# nmap -v 10.2.2.21

Starting nmap 3.81 ( http://www.insecure.org/nmap/ ) at 2006-03-20
19:36 CST
Initiating SYN Stealth Scan against host-10-2-2-21.domain.com
(10.2.2.21) [1663 ports] at 19:36
Discovered open port 23/tcp on 10.2.2.21
Discovered open port 443/tcp on 10.2.2.21
Discovered open port 80/tcp on 10.2.2.21
Discovered open port 22/tcp on 10.2.2.21
Discovered open port 25/tcp on 10.2.2.21
Discovered open port 139/tcp on 10.2.2.21
Discovered open port 802/tcp on 10.2.2.21
Discovered open port 917/tcp on 10.2.2.21
Discovered open port 81/tcp on 10.2.2.21
Discovered open port 111/tcp on 10.2.2.21
Discovered open port 6969/tcp on 10.2.2.21
The SYN Stealth Scan took 0.12s to scan 1663 total ports.
Host host-10-2-2-21.domain.com (10.2.2.21) appears to be up ... good.
Interesting ports on host-.domain.com (10.2.2.21):
(The 1652 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
80/tcp open http
81/tcp open hosts2-ns
111/tcp open rpcbind
139/tcp open netbios-ssn
443/tcp open https
802/tcp open unknown
917/tcp open unknown
6969/tcp open acmsoda

Nmap finished: 1 IP address (1 host up) scanned in 0.258 seconds
Raw packets sent: 1665 (66.6KB) | Rcvd: 3339 (134KB)
[/code]

Grant wrote:
On 20 Mar 2006 16:23:57 -0800, "Tom" <tlarmon@xxxxxxxxx> wrote:

How should I port the sites over from backup when they are most likely
infected?

The system is compromised, as you may be too, depending on the content
you've been serving, and local laws.

Start clean, and I do mean zero then format OS partitions before
re-install, 'when in doubt, chuck it out'. Otherwise you get to
do all this over again next month.

Grant.
--
Memory fault -- brain fried


Another 2 cents.

You did not describe the business this server performs. If it is a web
server for customers, build a new machine and copy the customer sites over.
Then exchange machines in off hours.

Doug


.



Relevant Pages

  • Re: Windows 2000 server ports, services to close.
    ... Discovered open port 3389/tcp on 192.168.111.123 ... Host ctsql appears to be up ... ... Microsoft Windows Millennium Edition, ... Professional or Advanced Server, or Windows XP ...
    (Security-Basics)
  • Windows 2000 server ports, services to close.
    ... for a Microsoft Wintendo 2000 server. ... Discovered open port 3389/tcp on 192.168.111.123 ... Microsoft Windows Millennium Edition, ... Professional or Advanced Server, or Windows XP ...
    (Security-Basics)