Re: BackOrifice on Linux?
on Wed, Jan 29, 2003 at 10:15:23AM -0600, Kent West ([EMAIL PROTECTED]) wrote: > Rob Weir wrote: > >On Tue, Jan 28, 2003 at 04:43:51PM -0600, Kent West wrote: > > > >>I just ran the command "sudo nmap -sT -sU localhost" which listed the > >>following: > >>12345/tcp openNetBus > >>12346/tcp openNetBus > >>27665/tcp openTrinoo_Master > >>31335/udp openTrinoo_Register > >>Should I be concerned, or is this maybe part of portsentry or something > >>similar? > Looks like it may just be part of portsentry. Thanks! > > >westek[westk]:/home/westk> sudo netstat -ntuple > >Active Internet connections (only servers) > >Proto Recv-Q Send-Q Local Address Foreign Address > >State User Inode PID/Program name > >tcp0 0 0.0.0.0:1 0.0.0.0:* > >LISTEN 0 2168 701/portsentry > >tcp0 0 0.0.0.0:20034 0.0.0.0:* > >LISTEN 0 2201 701/portsentry > >tcp0 0 0.0.0.0:32771 0.0.0.0:* One of the annoying aspects of portsentry is that it opens the ports it listens on. This can lead to false-positive alerts when scanning your own systems. Snort is another package which detects traffic on ports but doesn't open them. I'd recommend it as an alternative. Peace. -- Karsten M. Self <[EMAIL PROTECTED]>http://kmself.home.netcom.com/ What Part of "Gestalt" don't you understand? The Amazon "one-click" patent boycott -- yes, it continues: http://www.fsf.org/philosophy/amazon.html#whyContinue -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: BackOrifice on Linux?
Dave Sherohman wrote: On Tue, Jan 28, 2003 at 04:43:51PM -0600, Kent West wrote: Should I be concerned, or is this maybe part of portsentry or something similar? That's exactly what it is. portsentry listens on every commonly-recognized port that doesn't already have something running there and reports any connections it receives. If you want to know what's really listening on your machine (whether via netstat, nmap, or whatever else), you need to shut down portsentry first. Thanks! -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: BackOrifice on Linux?
On Tue, 2003-01-28 at 16:43, Kent West wrote: > I just ran the command "sudo nmap -sT -sU localhost" which listed the > following: > > . . . > > 12345/tcp openNetBus > 12346/tcp openNetBus > 27665/tcp openTrinoo_Master > 31335/udp openTrinoo_Register > 31337/tcp openElite > 31337/udp openBackOrifice > 32770/udp opensometimes-rpc4 > > . . . > > > > Should I be concerned, or is this maybe part of portsentry or something > similar? Shouldn't you run nmap on $EXTERN_IP, instead of localhost? I could care less what ports that localhost is listening to... -- +---+ | Ron Johnson, Jr.mailto:[EMAIL PROTECTED] | | Jefferson, LA USA http://members.cox.net/ron.l.johnson | | | | "Fear the Penguin!!" | +---+ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: BackOrifice on Linux?
On Tue, Jan 28, 2003 at 04:43:51PM -0600, Kent West wrote: > Should I be concerned, or is this maybe part of portsentry or something > similar? That's exactly what it is. portsentry listens on every commonly-recognized port that doesn't already have something running there and reports any connections it receives. If you want to know what's really listening on your machine (whether via netstat, nmap, or whatever else), you need to shut down portsentry first. -- The freedoms that we enjoy presently are the most important victories of the White Hats over the past several millennia, and it is vitally important that we don't give them up now, only because we are frightened. - Eolake Stobblehouse (http://stobblehouse.com/text/battle.html) -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: BackOrifice on Linux?
Rob Weir wrote: On Tue, Jan 28, 2003 at 04:43:51PM -0600, Kent West wrote: I just ran the command "sudo nmap -sT -sU localhost" which listed the following: . . . 12345/tcp openNetBus 12346/tcp openNetBus 27665/tcp openTrinoo_Master 31335/udp openTrinoo_Register 31337/tcp openElite 31337/udp openBackOrifice 32770/udp opensometimes-rpc4 . . . Should I be concerned, or is this maybe part of portsentry or something similar? No idea. nmap, amazing as it is, isn't the only tool you need though. Try running 'netstat -ntuple' to see which programs are actually listening, according to the kernel. Of course, netstat could have been replaced with a trojaned version, and your kernel could have been messed with, but, otherwise it'll show you what programs are listening on your ports... -rob Looks like it may just be part of portsentry. Thanks! westek[westk]:/home/westk> sudo netstat -ntuple Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name tcp0 0 0.0.0.0:1 0.0.0.0:* LISTEN 0 2168 701/portsentry tcp0 0 0.0.0.0:20034 0.0.0.0:* LISTEN 0 2201 701/portsentry tcp0 0 0.0.0.0:32771 0.0.0.0:* LISTEN 0 2207 701/portsentry tcp0 0 0.0.0.0:32772 0.0.0.0:* LISTEN 0 2209 701/portsentry tcp0 0 0.0.0.0:40421 0.0.0.0:* LISTEN 0 2215 701/portsentry tcp0 0 0.0.0.0:32773 0.0.0.0:* LISTEN 0 2211 701/portsentry tcp0 0 0.0.0.0:901 0.0.0.0:* LISTEN 0 496364/inetd tcp0 0 0.0.0.0:32774 0.0.0.0:* LISTEN 0 2213 701/portsentry tcp0 0 0.0.0.0:31337 0.0.0.0:* LISTEN 0 2205 701/portsentry tcp0 0 0.0.0.0:66670.0.0.0:* LISTEN 0 2195 701/portsentry -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
Re: BackOrifice on Linux?
On Tue, Jan 28, 2003 at 04:43:51PM -0600, Kent West wrote: > I just ran the command "sudo nmap -sT -sU localhost" which listed the > following: > > . . . > > 12345/tcp openNetBus > 12346/tcp openNetBus > 27665/tcp openTrinoo_Master > 31335/udp openTrinoo_Register > 31337/tcp openElite > 31337/udp openBackOrifice > 32770/udp opensometimes-rpc4 > > . . . > > > > Should I be concerned, or is this maybe part of portsentry or something > similar? No idea. nmap, amazing as it is, isn't the only tool you need though. Try running 'netstat -ntuple' to see which programs are actually listening, according to the kernel. Of course, netstat could have been replaced with a trojaned version, and your kernel could have been messed with, but, otherwise it'll show you what programs are listening on your ports... -rob msg27149/pgp0.pgp Description: PGP signature
Re: BackOrifice on Linux?
You may have install the fakebo package it is design to implemente a fake Back Orifice, to capture attacks of this tipe to your network. Any way run a netstat -p to see wich process is using that port. Cheers, rak On Tue, Jan 28, 2003 at 04:43:51PM -0600, Kent West wrote: > I just ran the command "sudo nmap -sT -sU localhost" which listed the > following: > > . . . > > 12345/tcp openNetBus > 12346/tcp openNetBus > 27665/tcp openTrinoo_Master > 31335/udp openTrinoo_Register > 31337/tcp openElite > 31337/udp openBackOrifice > 32770/udp opensometimes-rpc4 > > . . . > > > > Should I be concerned, or is this maybe part of portsentry or something > similar? > > Sweating just a bit, > Kent > > > > > -- > To UNSUBSCRIBE, email to [EMAIL PROTECTED] > with a subject of "unsubscribe". Trouble? Contact > [EMAIL PROTECTED] > -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
BackOrifice on Linux?
I just ran the command "sudo nmap -sT -sU localhost" which listed the following: . . . 12345/tcp openNetBus 12346/tcp openNetBus 27665/tcp openTrinoo_Master 31335/udp openTrinoo_Register 31337/tcp openElite 31337/udp openBackOrifice 32770/udp opensometimes-rpc4 . . . Should I be concerned, or is this maybe part of portsentry or something similar? Sweating just a bit, Kent -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]