James G. Sack (jim) wrote:
> nmap profile, in case this means anything to anybody is
> - - - - - - - - - - - - - - - - - -
> PORT STATE SERVICE
> 22/tcp filtered ssh
> 135/tcp filtered msrpc
> 136/tcp filtered profile
> 137/tcp filtered netbios-ns
> 138/tcp filtered netbios-dgm
> 139/tcp filtered netbios-ssn
> 161/tcp filtered snmp
> 162/tcp filtered snmptrap
> 199/tcp filtered smux
> 391/tcp filtered synotics-relay
> 445/tcp filtered microsoft-ds
> 705/tcp filtered unknown
> 828/tcp filtered unknown
> 873/tcp open rsync
> 1663/tcp filtered netview-aix-3
> 1723/tcp filtered pptp
> 1993/tcp filtered snmp-tcp-port
> 3001/tcp open nessusd
> 3389/tcp filtered ms-term-serv
> 5800/tcp filtered vnc-http
> 5900/tcp filtered vnc
> - - - - - - - - - - - - - - - - - -
>
> There is no evidence of damage. No "recent changes" anywhere that I
> can
> see, and no evidence that pages referenced have any additions or other
> mods (from an examination of a couple of pages whose names I have
> noted
> in the logs).
>
> However, the log messages do persist -- one every 5-to-15 seconds
> (sometimes longer intervals ..50s)
It could be a zombie machine. If it is then it's not the owner that's
attacking us, but someone else that "owns" that machine. The exploits
on those filtered ports is the reason why most of them are now blocked
on most cable and dsl networks. I would speculate those open ports are
signal ports for controlling the zombie.I find it interesting that
rsync(873) and nessusd (3001) are open and many of the other filtered
ports have had a history exploits against tham. It might be something
in the way a firewall is configured.
--
Neil Schneider pacneil_at_linuxgeek_dot_net
http://www.paccomp.com
Key fingerprint = 67F0 E493 FCC0 0A8C 769B 8209 32D7 1DB1 8460 C47D
"Under existing conditions, private capitalists inevitably control,
directly or indirectly, the main sources of information (press, radio,
education). It is thus extremely difficult, and indeed in most cases
quite impossible, for the individual citizen to come to objective
conclusions and to make intelligent use of his political rights."
--Albert Einstein
--
[email protected]
http://www.kernel-panic.org/cgi-bin/mailman/listinfo/kplug-steer
