If you suspect you have a rootkit, it shouldn't be that hard to find it,
depending on whether you can shut down any of these boxes and run Knoppix
& Tripwire or something similar. Even better if you can take the disks out
and check it on a clean box.
You may need to boot/take out the disk a few times to see what's changed
during consecutive boots and verify the checksums of common files against
good sources.
Pretty much any rootkit has to "bootstrap" itself from some kind of
executable, device driver, daemon, etc. Once bootstrapped, it would
normally hide itself, that's why is hard to find something not generally
known on a infected box.
One very quick test I would have done is to install and try to run MS
messenger on a Windows box, if it complains that can't bind to 1863 then
you possibly have something bad, haven't seen anything else running on
that port except it.
>
> Victor Williams <vbwilliams@neb.rr.com> wrote:
>>
>> Port 1863 is the port for Microsoft's Instant Messenger client
>> communications. 1720 is default for LiveMeeting...in later versions
>> these two pieces of functionality are integrated together.
>>
>> It could appear to exist on Linux boxes because of any of a number of
>> Instant Messenger clients that come by default. I know GAIM and Kopete
>> are included by default with Fedora 4 and later and work with all the
>> major IM networks (MSN, Yahoo, ICQ, AIM).
>
> The problem is, comments like "We've been finding it a lot when looking
> at customers with spammy viruses.", "It's invisible on the local
> machine" (Gaim certainly wouldn't be hiding from ps or netstat), "I
> have several security sources and none of them have been able to
> identify it", the ability to see it when nmap'ing from an external
> host, but not from localhost, etc.
>
> All of this struck me as exceedingly odd.
>
>>
>> In MS systems, MSN IM client starts itself automatically unless you
>> specifically tell it not to. Likewise, even if you tell it not to,
>> loading MS Office 2003 or later will re-set it so that it starts
>> automatically again.
> [snip]
>
> MS systems do a lot of things their users would prefer they not.
>
> Jim
> --
> Note: My mail server employs *very* aggressive anti-spam
> filtering. If you reply to this email and your email is
> rejected, please accept my apologies and let me know via my
> web form at <http://jimsun.linxnet.com/contact/scform.php>.
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
|