Re: Strange service on Port 5656

From: H Carvey <keydet89(at)yahoo.com>
Date: Thu Apr 17 2003 - 10:08:37 EDT

('binary' encoding is not supported, stored as-is)
In-Reply-To: <200304162335.02476.Leusent@link-net.org>

Craig,

>> When I enter something at this prompt the
backdoors.

Can you elaborate? I'm more familiar w/ Windows systems, but given what little information has been provided, I'm wondering what it is that you're seeing that leads to this conclusion.

>> Nessus detects this service as time server, can
anyone confirm/ deny that?
>I have never heard of a time daemon using this port
for anything. If the
>banner it yields resembles that of a time server, it
may cause nessus to
>report it as such. The fact that it does doesn't
really prove anything, as it
>is also a common tactic to make a rootkit yield a
known banner in order to subvert suspicion.

This statement leads me to ask my question again...how is it that you know, without more information, that this system has been compromised?  

I would have suggested further activities, such as running lsof or fuser on the system, to find the path/name of the executable image that's bound to that port.

Thanks,

Harlan

---

Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-pen-test

---

Received on Thu Apr 17 12:09:06 2003