OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: port 511. help needed.
From: Daniel Harrison (danielhLOUDCLOUD.COM)
Date: Thu Oct 26 2000 - 11:34:13 CDT

I would also get a fresh copy of any binaries you feel might be "bad" and put
them on write protected media. Run the ones on the system and then run the fresh
copies. If you notice that the output's are different (for example ifconfig
switches the first interface it reports) that is a bad sign. If you see that you
pretty much know the box has been owned. But also don't forget there are kernel
module rootkits out now (knark is one) that won't replace the binaries, it just
intercepts the system calls..

dan

"Eagle C. Huang" wrote:

> I recently found one of my friend's linux servers had been hacked via port
> 111 (rpc.statd ?)
> The hacker replaced ls, find, netstat, ps... in this system tried to hide
> some ssh deamon
> which used port 511 for backdoor.
> Try using
> #strings ls
> command to check if there's some weird entry point to a hidden file (such as
> /usr/src/.puta ).
> In that file you will find hacker's direcrtories or files.
>
> Sorry for my poor English.
>
> ----- Original Message -----
> From: Nazri Hussain <nazrihMIMOS.MY>
> To: <FOCUS-LINUXSECURITYFOCUS.COM>
> Sent: Wednesday, October 25, 2000 10:13 AM
> Subject: port 511. help needed.
>
> > hi everybody,
> >
> > recently, I've port scanned (using nmap) my own server and found that port
> > 511 is open for connection. i was wondering what is port 511 used for
> > ? can i close it and how ?