Re: [cobalt-security] Re: [cobalt-users] ssh on port 44658???

Tue, 17 Apr 2001 14:39:06 -0700 

Rob,

The problem with this approach is too many times I've seen a root job that
install's a rootkit which consists of trojaned versions
of netstat, login, ps, etc. If you have been compromised, none of these things
will show anything out of the ordinary (as the
hacker has intended). Its best to look elsewhere.


Rob Kennedy wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Go grab a copy of lsof and grep for LISTEN, or run netstat -anp |grep
> LISTEN and see what is actually running, then take a look through your
> inetd.conf of /etc/services to see if it was set up in there..  do a ps
> auxw to see what user started it.. find the file that starts it, and see
> when it was installed.. do a last -a to see who was logged in at the time
> and from where.. etc..  things i would do..
>
> Rob
>
> - --
> Rob Kennedy
> ASPRE, Inc.
> [EMAIL PROTECTED]
> http://www.aspre.net/
>
> Managed e-Business that works
> - ---------------------------------
> the first exclusive e-Business Application Service Provider (ASP)
>
> t. 215.957.2266 Ext. 2145
> f. 215.957.2277
>
> 113 Rock Road
> Horsham, PA 19044
>
> On Mon, 16 Apr 2001, Loryan Strant wrote:
>
> > Hi,
> >
> > While doing a routine portscan of my RaQ4, I noticed that port 44658 is
> > running SSH 1.5-1.2.27.
> >
> > I know for a fact that I didn't set that up, as I'm running OpenSSH 2.1.1 on
> > a completely different port.
> >
> > Does anyone have any ideas as to what this is?
> >
> > Thanks,
> >
> > Loryan
> >
> > _______________________________________________
> > cobalt-users mailing list
> > [EMAIL PROTECTED]
> > To Subscribe or Unsubscribe, please go to:
> > http://list.cobalt.com/mailman/listinfo/cobalt-users
> >
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.4 (GNU/Linux)
> Comment: For info see http://www.gnupg.org
>
> iD8DBQE62ywkgExIAP5wKEsRAnzGAJ9/tYjyOfF+J89ZOacHOYrztBfNHACfbpcC
> WFqnbSE2d/Fd/gc4UJd7Y38=
> =VZgc
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> cobalt-security mailing list
> [EMAIL PROTECTED]
> http://list.cobalt.com/mailman/listinfo/cobalt-security

--
Bill Irwin
Technical Support Engineer
Sun Microsystems, Inc.

_______________________________________________
cobalt-security mailing list
[EMAIL PROTECTED]
http://list.cobalt.com/mailman/listinfo/cobalt-security

Reply via email to