Hosting Provided By

Re: Strange service on Port 5656

From: Craig Holmes <Leusent(at)link-net.org>
Date: Wed Apr 16 2003 - 16:35:02 EDT

On April 16, 2003 08:19 pm, B F wrote:
> When I enter something at this prompt the
That response is clearly characteristic of rootkit backdoors.
> Nessus detects this service as time server, can anyone confirm/ deny that?
I have never heard of a time daemon using this port for anything. If the banner it yields resembles that of a time server, it may cause nessus to report it as such. The fact that it does doesn't really prove anything, as it is also a common tactic to make a rootkit yield a known banner in order to subvert suspicion.
> The host in question is a SuSE Linux System and
That is probably very likely. This device (system) is also most likely quite old, and an attacker may have even exploited a different service to gain access, then disabled it.

The system is clearly a security risk, and, in my opinion, most likely compromised.

Craig Holmes

Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-pen-test

Received on Wed Apr 16 17:44:05 2003

This message: [ Message body ]
Next message: Neal K. Groothuis: "Re: Strange service on Port 5656"
In reply to B F: "Strange service on Port 5656"
Next in thread: H Carvey: "Re: Strange service on Port 5656"
Reply: H Carvey: "Re: Strange service on Port 5656"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:35 EDT