[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [cobalt-users] [RaQ3] Cracked ?

Subject: RE: [cobalt-users] [RaQ3] Cracked ?
From: Bradley Caricofe <caricofe@xxxxxxxxxxx>
Date: Mon Jul 8 17:53:01 2002
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

> Hi again folks,  jsut got home from our short July 4 vacation eager to get
> back on my primary development machines and delve deeper into solving the
> problems we've been experiencing in the last week.  I noticed right away
> upon getting in that the server was down again.  I figured I'd do a quick
> portscan, something I've been meaning to do the last couple of days since
> installing ipchains and the pmfirewall.  So, the first portscan
> shows this:
>
> Port       State       Service
> 22/tcp     open        ssh
> 25/tcp     open        smtp
> 53/tcp     open        domain
> 80/tcp     open        http
> 81/tcp     open        hosts2-ns
> 110/tcp    open        pop-3
> 137/tcp    filtered    unknown
> 138/tcp    filtered    unknown
> 139/tcp    filtered    unknown
> 443/tcp    open        unknown
> 444/tcp    open        unknown
> 3306/tcp   open        unknown
>
> Not too bad I guess, I then noticed that all of our services were hung,
> again, ssh, httpd, all stuck.  So, I reboot successfully via our
> new reboot
> switch and then ssh in and turn on our pmfirewall.  I run another quick
> portscan and now it show this:
>
> Port       State       Service
> 22/tcp     open        ssh
> 25/tcp     open        smtp
> 53/tcp     open        domain
> 80/tcp     open        http
> 81/tcp     open        hosts2-ns
> 110/tcp    open        pop-3
> 137/tcp    filtered    unknown
> 138/tcp    filtered    unknown
> 139/tcp    filtered    unknown
> 443/tcp    open        unknown
> 444/tcp    open        unknown
> 1524/tcp   filtered    unknown
> 3306/tcp   open        unknown
> 12345/tcp  filtered    NetBus
> 12346/tcp  filtered    NetBus
> 27665/tcp  filtered    Trinoo_Master
> 31337/tcp  filtered    Elite
>
> Did I just enable some crackers software with my reboot?  I downloaded the
> latest chkrootkit and it shows server as fine.  Would the firewall cause
> false positives for some reason?  Am I obviously and officially screwed as
> far as this server is concerned now?  Thanks...
>
> 8(  Brad

For the archives, I was portscanning my RaQ on Windows 2000 using nmapNT
from behind a home router/firewall.  Apparently my home firewall was causing
the portscan results to look like there could be trojans on the RaQ I was
scanning.  When I do the scan on an external IP address, on the other side
of my home router the scan brings back normal results.  So, server not
cracked...  8)

-Brad

References:
- [cobalt-users] [RaQ3] Cracked ?
  - From: Bradley Caricofe

Prev by Date: Re: [cobalt-users] Server Admin E-mail
Next by Date: Re: [cobalt-users] Re:How to create a MySQL database for a user using Webmin
Previous by thread: RE: [cobalt-users] [RaQ3] Cracked ?
Next by thread: [cobalt-users] unable to remove file

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index