[TriLUG] possible intruder - advice?

Andrew Perrin clists at perrin.socsci.unc.edu
Mon May 24 13:49:01 EDT 2004 

Thanks to all. Frankly, what's most worrisome to me is that 1025 appears
open, where other ports are not:

nujoma:~# nmap -sS -vv localhost

Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
Host nujoma (127.0.0.1) appears to be up ... good.
Initiating SYN Stealth Scan against nujoma (127.0.0.1)
Adding open port 37/tcp
Adding open port 111/tcp
Adding open port 113/tcp
Adding open port 512/tcp
Adding open port 514/tcp
Adding open port 1025/tcp
Adding open port 13/tcp
Adding open port 513/tcp
Adding open port 515/tcp
Adding open port 79/tcp
Adding open port 22/tcp
Adding open port 25/tcp
Adding open port 9/tcp
Adding open port 53/tcp
The SYN Stealth Scan took 2 seconds to scan 1554 ports.
Interesting ports on nujoma (127.0.0.1):
(The 1540 ports scanned but not shown below are in state: closed)
Port       State       Service
9/tcp      open        discard
13/tcp     open        daytime
22/tcp     open        ssh
25/tcp     open        smtp
37/tcp     open        time
53/tcp     open        domain
79/tcp     open        finger
111/tcp    open        sunrpc
113/tcp    open        auth
512/tcp    open        exec
513/tcp    open        login
514/tcp    open        shell
515/tcp    open        printer
1025/tcp   open        listen


why would 1025 be opened?

ap

----------------------------------------------------------------------
Andrew J Perrin - http://www.unc.edu/~aperrin
Assistant Professor of Sociology, U of North Carolina, Chapel Hill
clists at perrin.socsci.unc.edu * andrew_perrin (at) unc.edu


On Mon, 24 May 2004, Jeff Bollinger wrote:

> Andrew Perrin wrote:
> > Yes, but stopping samba doesn't seem to close port 1025.  It looks, from
> > further investigation, like it's attempts (probably failed) to mount
> > directories via nfs, which I don't like but am not terribly worried about:
> >
> > nujoma:/var/log# lsof -i TCP:1025
> > COMMAND   PID USER   FD   TYPE DEVICE SIZE NODE NAME
> > rpc.mount 671 root    4u  IPv4   2750       TCP *:1025 (LISTEN)
> > rpc.mount 671 root    6u  IPv4  13940       TCP
> > (me, external interface):1025->user-24-214-178-146.knology.net:3821
> > (ESTABLISHED)
> > rpc.mount 671 root    7u  IPv4  17011       TCP
> > (me, external interface):1025->user-0c8gjqu.cable.mindspring.com:4742
> > (ESTABLISHED)
> >
> >
> > ----------------------------------------------------------------------
> > Andrew J Perrin - http://www.unc.edu/~aperrin
> > Assistant Professor of Sociology, U of North Carolina, Chapel Hill
> > clists at perrin.socsci.unc.edu * andrew_perrin (at) unc.edu
>
> You're probably getting attacked with a remanant of the Sasser worm.  It
> attaches to port 1025/tcp and attempts to execute code.
>
> Jeff
> --
> TriLUG mailing list        : http://www.trilug.org/mailman/listinfo/trilug
> TriLUG Organizational FAQ  : http://trilug.org/faq/
> TriLUG Member Services FAQ : http://members.trilug.org/services_faq/
> TriLUG PGP Keyring         : http://trilug.org/~chrish/trilug.asc
>

More information about the TriLUG mailing list