Re: [LUG.ro] Checking `bindshell'... INFECTED (PORTS: 3133)

Wed, 03 Jul 2002 13:54:23 -0700 

----- Original Message -----
From: "Sebasti�n D. Criado" <[EMAIL PROTECTED]>
Sent: Tuesday, July 02, 2002 7:35 PM
> Guarda Fer, el bindshell tambi�n sale por el 3133.

Siguiendo los consejos de SCriado, estuve investigando y llegue a
la conclusion que (ademas de ser un bol.) el tema es que efectivamente
named estaba escuchando en ese puerto y no porque este envichado
sino de puro antojo.
Se ve que el tipo escoge al azar un port y cuando chkrootkit lo encontro
el 3133 ocupado dijo, ZAS, te pesque !!!
Obviamente esto estaba delante de mis narices pero me tomo casi 2 dias
desASNARME.
Fijense que la linea del log "Forwarding source address is [0.0.0.0].3133"
cambia cada vez que named reinicia y no se que criterios usa para escojer
los puertos.
Ya no volvera a pasar porque al 3133 y al 31337 se los deje al portsentry.

Esto fue todos, no hay moros en la costa.

Saludos
Fernando

-----------------/var/log/syslog (potato)-----------------------------------
Jul  1 12:49:31 debian named[19757]: dumping nameserver data
Jul  1 12:49:31 debian named[19757]: finished dumping nameserver data
Jul  1 12:49:31 debian named[19757]: named shutting down
Jul  1 12:49:31 debian named[19757]: USAGE 1025527771 1024911547
CPU=115.84u/30.09s CHILDCPU=0u/0s
Jul  1 12:49:31 debian named[19757]: NSTATS 1025527771 1024911547 A=34366
PTR=19877 MX=225 TXT=1 AAAA=173 38=83 ANY=94
Jul  1 12:49:31 debian named[19757]: XSTATS 1025527771 1024911547 RR=2552
RNXD=251 RFwdR=1242 RDupR=24 RFail=40 RFErr=0 RErr=0 RAXFR=0 RLame=5 ROpts=0
SSysQ=989 SAns=54543 SFwdQ=1421 SDupQ=654 SErr=0 RQ=54967 RIQ=1 RFwdQ=1421
RDupQ=280 RTCP=0 SFwdR=1242 SFail=1 SFErr=0 SNaAns=51877 SNXD=18174 RUQ=0
RURQ=0 RUXFR=0 RUUpd=0
Jul  1 12:49:31 debian named[31504]: starting (/etc/bind/named.conf).  named
8.2.3-REL-NOESW Sat Jan 27 01:46:37 MST 2001
^Ibdale@winfree:/home/bdale/debian/bind-8.2.3/src/bin/named
Jul  1 12:49:31 debian named[31504]: hint zone "" (IN) loaded (serial 0)
Jul  1 12:49:31 debian named[31504]: master zone "algoritmosrl.com.ar" (IN)
loaded (serial 1)
Jul  1 12:49:31 debian named[31504]: master zone "localhost" (IN) loaded
(serial 1)
Jul  1 12:49:31 debian named[31504]: master zone "127.in-addr.arpa" (IN)
loaded (serial 1)
Jul  1 12:49:31 debian named[31504]: master zone "0.in-addr.arpa" (IN)
loaded (serial 1)
Jul  1 12:49:31 debian named[31504]: master zone "255.in-addr.arpa" (IN)
loaded (serial 1)
Jul  1 12:49:31 debian named[31504]: listening on [127.0.0.1].53 (lo)
Jul  1 12:49:31 debian named[31504]: listening on [200.200.200.200].53
(eth0)
Jul  1 12:49:31 debian named[31504]: listening on [10.1.85.18].53 (eth1)
Jul  1 12:49:31 debian named[31504]: Forwarding source address is
[0.0.0.0].3133
Jul  1 12:49:31 debian named[31505]: Ready to answer queries.
Jul  1 12:49:31 debian named[31505]: named shutting down
Jul  1 12:49:31 debian named[31505]: USAGE 1025527771 1025527771
CPU=0u/0.02s CHILDCPU=0u/0s
Jul  1 12:49:31 debian named[31505]: NSTATS 1025527771 1025527771
Jul  1 12:49:31 debian named[31505]: XSTATS 1025527771 1025527771 RR=0
RNXD=0 RFwdR=0 RDupR=0 RFail=0 RFErr=0 RErr=0 RAXFR=0 RLame=0 ROpts=0
SSysQ=1 SAns=0 SFwdQ=0 SDupQ=0 SErr=0 RQ=0 RIQ=0 RFwdQ=0 RDupQ=0 RTCP=0
SFwdR=0 SFail=0 SFErr=0 SNaAns=0 SNXD=0 RUQ=0 RURQ=0 RUXFR=0 RUUpd=0
-----------------/var/log/syslog----------------------------------------

Responder a