[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-users] Port 1045 Rasmin

Subject: Re: [cobalt-users] Port 1045 Rasmin
From: "Steve Werby" <steve-lists@xxxxxxxxxxxx>
Date: Tue Nov 19 09:37:00 2002
Organization: Befriend Internet Services LLC
List-id: Mailing list for users to share thoughts on Sun Cobalt products. <cobalt-users.list.cobalt.com>

"Felix Kaegi" <felix@xxxxxxxxxxxx> wrote:
> We just installed our first RAQ 550 and users complain that they are
> getting alerts from their firewall that the Rasmin trojan (mIRCPlus) is
> attempting a connection from our RAQ server (see message below).

I think that trojan affects Windows boxes only so I doubt that's the cause.
Actually, the message below says that it was something accessing port 1045.
Apparently mIRCPlus commonly uses that port, but *any program* can be set to
use any port so it's not definitely that (and I think it's isn't that).

> Has anyone else experienced the same? If it is indeed a trojan, does
> anyone know how it could get onto the RAQ, and more important, how can
> we remove the trojan?

An IRC program can be installed by a system user or by a hacker.  It's often
difficult to find how the person got in or who installed it unless it's
setup by a system user and there's an audit trail (logs, .bash_history,
etc.).  I suggest focusing on finding out what program tried to access port
1045 on a remote machine and going from there.

> >A computer at IP address xx.xxx.xxx.xx has attempted an
> >unsolicited connection to TCP port 1045 on your computer.
> >TCP port 1045 is commonly used by the "Rasmin Trojan" service
> >or program. The source computer has scanned your computer
> >for this trojan, but it has been blocked by your firewall.

Check all executable files on the server to see what might have tried to
acccess port 1045.  Also, have you or anyone else run a port scan program
like nmap from the server?  A port scan could trigger that alert.  Programs
you might want to use to troubleshoot are ls, ps, find, netstat, tcpdump and
lsof (lsof isn't installed by default).  Finding malicious programs, buggy
programs, rootkits and altered programs is not an entry level admin task so
if you aren't comfortable or knowledgeable enough to do it you may want to
hire someone to assist you.  If you haven't already I'd install a rootkit
checker like chkrootkit, a port scan detector like portsentry, a firewall
like ipchains (limiting access and ports as much as possible), a log monitor
like logsentry, the latest Sun packages, disable services that you don't run
(IMAP, Bind, ASP are prime candidates for many RaQ admins) and other
security software.  Good luck.

--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/

References:
- [cobalt-users] Port 1045 Rasmin
  - From: Felix Kaegi

Prev by Date: Re: [cobalt-users] Mailing List manager Recommendation
Next by Date: Re: [cobalt-users] Re: Raq4 vs Fetch FTP
Previous by thread: Re: [cobalt-users] Port 1045 Rasmin
Next by thread: Re: [cobalt-users] Port 1045 Rasmin

Sun Cobalt Users Message Index

Sun Cobalt Users Thread Index