[TriLUG] possible intruder - advice?
Andrew Perrin
clists at perrin.socsci.unc.edu
Mon May 24 13:49:01 EDT 2004
Thanks to all. Frankly, what's most worrisome to me is that 1025 appears
open, where other ports are not:
nujoma:~# nmap -sS -vv localhost
Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
Host nujoma (127.0.0.1) appears to be up ... good.
Initiating SYN Stealth Scan against nujoma (127.0.0.1)
Adding open port 37/tcp
Adding open port 111/tcp
Adding open port 113/tcp
Adding open port 512/tcp
Adding open port 514/tcp
Adding open port 1025/tcp
Adding open port 13/tcp
Adding open port 513/tcp
Adding open port 515/tcp
Adding open port 79/tcp
Adding open port 22/tcp
Adding open port 25/tcp
Adding open port 9/tcp
Adding open port 53/tcp
The SYN Stealth Scan took 2 seconds to scan 1554 ports.
Interesting ports on nujoma (127.0.0.1):
(The 1540 ports scanned but not shown below are in state: closed)
Port State Service
9/tcp open discard
13/tcp open daytime
22/tcp open ssh
25/tcp open smtp
37/tcp open time
53/tcp open domain
79/tcp open finger
111/tcp open sunrpc
113/tcp open auth
512/tcp open exec
513/tcp open login
514/tcp open shell
515/tcp open printer
1025/tcp open listen
why would 1025 be opened?
ap
----------------------------------------------------------------------
Andrew J Perrin - http://www.unc.edu/~aperrin
Assistant Professor of Sociology, U of North Carolina, Chapel Hill
clists at perrin.socsci.unc.edu * andrew_perrin (at) unc.edu
On Mon, 24 May 2004, Jeff Bollinger wrote:
> Andrew Perrin wrote:
> > Yes, but stopping samba doesn't seem to close port 1025. It looks, from
> > further investigation, like it's attempts (probably failed) to mount
> > directories via nfs, which I don't like but am not terribly worried about:
> >
> > nujoma:/var/log# lsof -i TCP:1025
> > COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
> > rpc.mount 671 root 4u IPv4 2750 TCP *:1025 (LISTEN)
> > rpc.mount 671 root 6u IPv4 13940 TCP
> > (me, external interface):1025->user-24-214-178-146.knology.net:3821
> > (ESTABLISHED)
> > rpc.mount 671 root 7u IPv4 17011 TCP
> > (me, external interface):1025->user-0c8gjqu.cable.mindspring.com:4742
> > (ESTABLISHED)
> >
> >
> > ----------------------------------------------------------------------
> > Andrew J Perrin - http://www.unc.edu/~aperrin
> > Assistant Professor of Sociology, U of North Carolina, Chapel Hill
> > clists at perrin.socsci.unc.edu * andrew_perrin (at) unc.edu
>
> You're probably getting attacked with a remanant of the Sasser worm. It
> attaches to port 1025/tcp and attempts to execute code.
>
> Jeff
> --
> TriLUG mailing list : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> TriLUG PGP Keyring : http://trilug.org/~chrish/trilug.asc
>
More information about the TriLUG
mailing list