From: H Carvey (keydet89@yahoo.com)
Date: Thu Apr 17 2003 - 10:08:37 EDT
Craig,
>> When I enter something at this prompt the
>> connection is closed immediately.
>That response is clearly characteristic of rootkit
backdoors.
Can you elaborate? I'm more familiar w/ Windows
systems, but given what little information has been
provided, I'm wondering what it is that you're seeing
that leads to this conclusion.
>> Nessus detects this service as time server, can
anyone confirm/ deny that?
>I have never heard of a time daemon using this port
for anything. If the
>banner it yields resembles that of a time server, it
may cause nessus to
>report it as such. The fact that it does doesn't
really prove anything, as it
>is also a common tactic to make a rootkit yield a
known banner in order to subvert suspicion.
This statement leads me to ask my question again...how
is it that you know, without more information, that
this system has been compromised?
I would have suggested further activities, such as
running lsof or fuser on the system, to find the
path/name of the executable image that's bound to that
port.
Thanks,
Harlan
---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts. The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches. Deadline for the best rates is April 25. Register today to
ensure your place. http://www.securityfocus.com/BlackHat-pen-test
----------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:32 EDT