* Matthias G. Imhof <[EMAIL PROTECTED]> [010207 15:32]: > Performing strobe or nmap on my system, I get, e.g., the following list: > > 79/tcp open finger > 119/tcp open nntp > 143/tcp open imap2 > 540/tcp open uucp > 6667/tcp open irc > 12345/tcp open NetBus > 12346/tcp open NetBus > 31337/tcp open Elite > > However, lsof -i tcp:79 yields nothing. Similarly with the others. > In addition, there should be no irc running, finger is commented from the > inetd.conf, and so on. > > Why do these ports respond to strobe or nmap? Which process controlls them?
My immediate guess, upon seeing anything running on 31337, is that you've been "0wn3d", as the script kiddies put it, and maybe lsof has been trojaned not to list the attacker's processes. You are running lsof as root, right? It won't show you everything as an ordinary user. You don't say what version of Debian you're running. If you're running potato or unstable on x86, with lsof-2.2 4.48-1, here's the md5sum for it: be8cf28300c29db5dffbea19fd613abf /usr/sbin/lsof If that's not it, it's a trojan. I'd guess that other useful tools for finding out what's going on, e.g. ls and ps and fuser, have been trojaned as well. (Although you might want to try "fuser 31337/tcp", maybe the attacker forgot about it.) Reinstall fileutils, procps, psmisc, lsof-2.2, and findutils if you're interested in further investigation. -- Brock Sides [EMAIL PROTECTED] The original plan [for GNOME] was to aim to make a desktop as good as the Macintosh, and we should not lower our ambition by making one merely as good as Windows. -- RMS