Hi Nick - Glad to see your alive and kicking! Mike Rickards Managing Director Smartways Technology Ltd Tel. +44(0)1604 670500 Fax. +44(0)1604 670567 www.smartways.net www.lanspy.net European leaders in: Internet Connectivity E-Commerce Development & Deployment Intershop Partners Network Security & Firewalls Java, ASP & CGI Development A Total solution provider.... -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Drage, Nicholas Sent: Wednesday, April 18, 2001 11:27 AM To: '[EMAIL PROTECTED]' Cc: [EMAIL PROTECTED] Subject: RE: [cobalt-security] Re: [cobalt-users] ssh on port 44658??? > -----Original Message----- > From: Loryan Strant [mailto:[EMAIL PROTECTED]] > Sent: 17 April 2001 09:24 > I've found that "/usr/sbin/nscd" is the responsible program > for that port being open. I don't know what that program is, > as it is not found on our backup RaQ4 server (which mind you > has a lot less updates and programs installed). nscd isn't on a RaQ3 I've just checked either. Obviously the hacker has chosen an innocuous name for the program rather than calling it /usr/sbin/leet-ssh-shell, I'd kill the nscd program running and then remove the program immediately. With all due respect to the other users who've posted to these mailing lists please do note: Under *no* circumstances will nscd open a TCP port giving you access to a shell prompt. In fact I'm told in it's normal operation it will only open a high numbered UDP port. ( haven't really used nscd myself, IME it causes more problems than it fixes ). Under absolutely no circumstances ever, ever, ever will nscd behave as you describe, you will not be able to telnet to it so it can reply giving a fair imitation of an ssh daemon. The behaviour you are seeing is a hacker backdoor, it is not the normal operation of the software. > I know that my server is now untrustworthy, but would it be a > good idea to rename/delete this file in the meantime? Unfortunately your tasks are now: backup the box, re-install on to the re-formatted disk, then use your backup *only* as a template on how to configure your restored host. Make sure you patch it up, use the backup to see how the hackers got in if you have the time, and do all of this offline. ( Please note I only subscribe to cobalt-security, not cobalt-users ) -- Nick Drage - Security Architecture - Demon Internet - Thus PLC As of Wed 18/04/2001 at 9:00 This computer has been up for 17 days, 1 hour, 37 minutes, 32 seconds. _______________________________________________ cobalt-users mailing list [EMAIL PROTECTED] To Subscribe or Unsubscribe, please go to: http://list.cobalt.com/mailman/listinfo/cobalt-users _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security _______________________________________________ cobalt-security mailing list [EMAIL PROTECTED] http://list.cobalt.com/mailman/listinfo/cobalt-security
RE: [cobalt-security] Re: [cobalt-users] ssh on port 44658???
Mike Rickards - MD Smartways Thu, 19 Apr 2001 05:07:21 -0700
- [cobalt-security] Re: [cobalt-users] ssh on p... Rob Kennedy
- Re: [cobalt-security] Re: [cobalt-users]... Bill Irwin
- RE: [cobalt-security] Re: [cobalt-users]... Drage, Nicholas
- RE: [cobalt-security] Re: [cobalt-users]... Loryan Strant
- RE: [cobalt-security] Re: [cobalt-us... Rob Kennedy
- Re: [cobalt-security] Re: [cobalt-us... Gareth Bromley
- RE: [cobalt-security] Re: [cobalt-us... Paul Gillingwater
- RE: [cobalt-security] Re: [cobalt-us... shimi
- RE: [cobalt-security] Re: [cobalt-us... �ke Br�nnstr�m
- RE: [cobalt-security] Re: [cobalt-users]... Drage, Nicholas
- RE: [cobalt-security] Re: [cobalt-us... Mike Rickards - MD Smartways
- RE: [cobalt-security] Re: [cobalt-users]... Drage, Nicholas
- RE: [cobalt-security] Re: [cobalt-users]... Graeme Fowler
- RE: [cobalt-security] Re: [cobalt-users]... �ke Br�nnstr�m
