OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: port 511. help needed.
From: Eagle C. Huang (demomMS5.HINET.NET)
Date: Thu Oct 26 2000 - 05:57:06 CDT


I recently found one of my friend's linux servers had been hacked via port
111 (rpc.statd ?)
The hacker replaced ls, find, netstat, ps... in this system tried to hide
some ssh deamon
    which used port 511 for backdoor.
Try using
#strings ls
command to check if there's some weird entry point to a hidden file (such as
/usr/src/.puta ).
In that file you will find hacker's direcrtories or files.

Sorry for my poor English.

----- Original Message -----
From: Nazri Hussain <nazrihMIMOS.MY>
To: <FOCUS-LINUXSECURITYFOCUS.COM>
Sent: Wednesday, October 25, 2000 10:13 AM
Subject: port 511. help needed.

> hi everybody,
>
> recently, I've port scanned (using nmap) my own server and found that port
> 511 is open for connection. i was wondering what is port 511 used for
> ? can i close it and how ?