[GLLUG] Infected - Help/advice?
Marshal Newrock
marshal at idealso.com
Mon Mar 12 10:48:45 EDT 2007
On Mon, 12 Mar 2007 08:49:20 -0500
"Benjamin Cathey" <benjamincathey at catheycompany.com> wrote:
> Checking `bindshell'... INFECTED (PORTS: 465)
[snip]
> Should I be worried or is there something I am not understanding
> here? According to what I can find on the net this (the bindshell
> port 465) is a common false positive.
Your mail server is configured to work with Outlook Express's "tls
wrapper mode" which sends encrypted authentication info to one port,
and then regular traffic on the regular smtp port. Port 465 is smtps,
an obsolete protocol.
> But what about all this -
>
> netstat -a on the mailserver shows:
>
> tcp 0 0 192.168.1.3:http 86.104.31.200:40681
> SYN_RECV tcp 0 0 192.168.1.3:http
> 86-104-24-216.dcn:31080 SYN_RECV tcp 0 0
> 192.168.1.3:http 86-104-25-13.dcn.r:2588 SYN_RECV tcp
> 0 0 192.168.1.3:http 89.38.76.167:11036 SYN_RECV
> tcp 0 0 192.168.1.3:http 89.36.90.234:53767
> SYN_RECV tcp 0 0 192.168.1.3:http
> 89.35.250.183:19545 SYN_RECV tcp 0 0
> 192.168.1.3:http 86.106.135.250:21940 SYN_RECV tcp
> 0 0 192.168.1.3:http 86-104-25-149.dcn.:4078 SYN_RECV
> tcp 0 0 192.168.1.3:http 86-104-26-82.dcn.:33662
> SYN_RECV tcp 0 0 192.168.1.3:http
> 89.35.251.116:33549 SYN_RECV
>
> why would the mailserver have outgoing http to all these IP addresses?
Good question. Seeing full hostnames might help. Some other things
you can try:
* nmap localhost on the machine, telnet to any odd ports and see what
it says.
* 'ps auxf' and look for odd processes
* install wireshark or some other traffic sniffer.
* look for source code or executable files in /tmp which would indicate
a successful exploit.
--
Marshal Newrock
Ideal Solution, LLC - http://www.idealso.com
More information about the linux-user
mailing list