really, really weird... need reply
Page 1 of 4 123 ... LastLast
Results 1 to 10 of 32

Thread: really, really weird... need reply

  1. #1
    Banned
    Join Date
    May 2003
    Posts
    31

    really, really weird... need reply

    You may remember my problem from before. This is another, really weird chapter. I've been recently asigned to administer 24 workstation inter-office network; all NT & 2000. One of my users have been visiting amature cracking sites and browsing the internet on company time way too much. He's also downloaded 'netcat', windows version of 'john the ripper' & YAPS (shitty windows port scanner) Before I did anything I wanted to see more "not -so-cool" activity. I wanted him to do something... back to that later

    The company public web site hasn't been contracted out to my company. Instead the PR dep. recruited a "web design" company which also hosts the server. Even though this is not my job, I decided to "namp" the machine. Here are the results w/ the "-sS -O" options!

    21/tcp open ftp
    22/tcp open ssh
    23/tcp open telnet
    25/tcp open smtp
    80/tcp open http
    110/tcp open pop-3
    113/tcp open auth
    137/tcp filtered netbios-ns
    138/tcp filtered netbios-dgm
    139/tcp filtered netbios-ssn
    143/tcp open imap2
    144/tcp open news
    161/tcp filtered snmp
    306/tcp open unknown
    307/tcp open unknown
    443/tcp open https
    513/tcp open 21/tcp open ftp
    22/tcp open ssh
    23/tcp open telnet
    25/tcp open smtp
    80/tcp open http
    110/tcp open pop-3
    113/tcp open auth
    137/tcp filtered netbios-ns
    138/tcp filtered netbios-dgm
    139/tcp filtered netbios-ssn
    143/tcp open imap2
    144/tcp open news
    161/tcp filtered snmp
    306/tcp open unknown
    307/tcp open unknown
    443/tcp open https
    513/tcp open login
    514/tcp open shell
    543/tcp open klogin
    544/tcp open kshell
    1112/tcp filtered msql
    2105/tcp open eklogin
    3333/tcp filtered dec-notes
    4333/tcp filtered msql
    5000/tcp filtered fics
    6666/tcp filtered irc-serv
    6667/tcp filtered irc
    6668/tcp filtered irc
    7000/tcp filtered afs3-fileserver
    7001/tcp filtered afs3-callback
    7007/tcp filtered afs3-bos
    31337/tcp filtered Elite login
    514/tcp open shell
    543/tcp open klogin
    544/tcp open kshell
    1112/tcp filtered msql
    2105/tcp open eklogin
    3333/tcp filtered dec-notes
    4333/tcp filtered msql
    5000/tcp filtered fics
    6666/tcp filtered irc-serv
    6667/tcp filtered irc
    6668/tcp filtered irc
    7000/tcp filtered afs3-fileserver
    7001/tcp filtered afs3-callback
    7007/tcp filtered afs3-bos
    31337/tcp filtered Elite

    Firs of all the box confuses the hell out of nmap's OS detection. But I'd think it's a safe bet it's *nix system. Is this system hacked. Look at the damn 31337 port open it's even named Elite. Why is IRC running on this company system... any advice

  2. #2
    Member
    Join Date
    Nov 2002
    Posts
    80
    The best way to find out is simply to ask them, say that you were following up on suspicious activity. Also if you think it is one of your users that has done this then you have a responsibility to inform them asap.

    I feel I should point out gathering some proof may be a good idea, you should look at your proxy/firewall logs (if the box is outside your network), as the downloading of some cracking tools is merely circumstancial.

    Sorry I can't give you a good analysis of the nmap scan, but I agree it does look very suspect at face value.

  3. #3
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Many companies run IRC servers... that's not that big of a deal.... Also the BO Port (31337) is filtered.. I'm guessing their catching people scanning their network for the port.

    I wouldn't be too concerned about the port listing on the system... They are a webdesign/hosting company.. and more than likely they offer other services to the public.... Also you are in the wrong, you never should have scanned a system that isn't your own and has nothing to do with you. They may host your company's website but that's your only relationship with them.... Stay away from their system is my advice to you... it's better for you, for their company and saves their admins the headaches of having to figure out why they are being port scanned.....
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  4. #4
    Senior Member
    Join Date
    Apr 2002
    Posts
    1,050
    In short it aint hacked and by the looks of the port scan its running some type of firewall so congrats you made the logs notice the filtered state ? that means there is some sort of firewall in place you can use the -sA switch with "nmap" to check for firewall rules
    By the sacred **** of the sacred psychedelic tibetan yeti ....We\'ll smoke the chinese out
    The 20th century pharoes have the slaves demanding work
    http://muaythaiscotland.com/

  5. #5
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    DEAR GOD!

    This box has more openings than swiss cheese!

    port 31337 is a trojan port for sure.

    Also, if you have permission, try telnetting into this box and see if it lets you in. If your the admin it should be ok but check first so you dont get yourself in any trouble. Any concerned admin would have a field day with this machine.


    Remember though get all permission you need before conducting any tests IN WRITING unless you trust them and they say ok.

    What is this machine supposed to be doing? As for your little co worker who is surfing hacking sites and doing things he shouldnt be, please refer to my Bastard sys admin from Michigan stories for things to do.

  6. #6
    Junior Member
    Join Date
    May 2003
    Posts
    16
    Does your company have any rules/regs regarding 'Appropriate use of the Internet'? If so, are d/l inguch installed programs, against said regulations? I would hope the answer to these questions is yes.

    If so, inform the user that the downloaded programs are in violation of the 'Accpetable Use' policy, and should remove them.
    Those who speak of what they know... find out too late that prudent si-lence was wise.
    --Madame Giry, Phantom of the Opera

  7. #7
    Senior Member
    Join Date
    May 2003
    Posts
    747
    Yeah TCP port 31337 is a trojan port(also unassigned).

    It can play host to:

    BackOrifice.120
    Kahled.100
    OPC.200

  8. #8
    Banned
    Join Date
    May 2003
    Posts
    31
    quote "many companies run IRC"... not in this case, there is no need what so ever for this company to run IRC... you are gonna have to trust me on that one...

    if and if, the IRC ports would be legitimate (personally i think this is a zombie) why in the world would they be filtered... please ... if you wanna have interdepartmental communication you are NOT gonna run IRC for that...

    the telnet banner grab gives me "FreeBSD i386" ... BUT that doesn't fit in w/ the whole 31337 thing...

    31337... i know, i know... the first thing that came to my mind was that it's win box w/ a trojan but (look above) it's not .. i repeate it's not a windows box....

    i'm gonna level w/ you... personally i think this system has way too many ports open... if this IS a professional job than this box has to be running OpenBSD w/ honey pot of some kind on a cluster.... if not than it's way to open and it's way too overloaded...

    and who is scanning for BO these days... please... there are so many better trojans out there where you can even change the server port # ... but remmember this machine is unix....

    i believe 70% that this is some kind of bore & inject hack job and i'm gonna level w/ you guys ... if i'm correct and i'm able to prove it i can get promotion and work w/ *nix web servers not stupid NT crap... and let's not forget the $.

    If you are interested in helping me in this please pm me and i will give you the ip ... this goes for ppl that i know who will not damage the system or do anything malicious...ei (gore, phishphreak..... and others)

    i just have to say one more time... just look ... look at the nmap output... do you really think it's a pro job... telnet & ftp don't even have login disable after 3 attempts.... i can write a bash brute - forcing script in 5 minutes & let it run all night......

    what should i do... i'm not gonna try & crack the system. ... don't even suggest that... but i need to find out if the system isn't already cracked

  9. #9
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    There is trojan tools for Free BSD, last time i installed they offer the netbus tools and **** right on the CDs. So this isnt out of the question. I think being paranoid is also a good thing. a good admin needs medication for his nerves because hes worried...lol ok its half true but anyway i think you should contact them and ask "hey whats going on i got lusers acessing bad sites and a box fulla openings why?"

  10. #10
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,914
    Originally posted here by unhappyStar_7
    quote "many companies run IRC"... not in this case, there is no need what so ever for this company to run IRC... you are gonna have to trust me on that one...

    if and if, the IRC ports would be legitimate (personally i think this is a zombie) why in the world would they be filtered... please ... if you wanna have interdepartmental communication you are NOT gonna run IRC for that...
    It's not your company, so how do you know what their needs are... maybe one of the guys runs an IRC server for him and his friends.. and it's filtered because it has an ACL to only allow certain people to connect.. A friend of mine used to admin a hosting company and that was what he did.. had his IRC server running their set-up to only accept certain connections..

    the telnet banner grab gives me "FreeBSD i386" ... BUT that doesn't fit in w/ the whole 31337 thing...

    31337... i know, i know... the first thing that came to my mind was that it's win box w/ a trojan but (look above) it's not .. i repeate it's not a windows box....

    i'm gonna level w/ you... personally i think this system has way too many ports open... if this IS a professional job than this box has to be running OpenBSD w/ honey pot of some kind on a cluster.... if not than it's way to open and it's way too overloaded...
    Why does the box have to be running OpenBSD to be professional??? I can show you a professional system set-up on any OS. It's quite possibly a series of Honeypots and once again 31337 could be detecting scans for BO and other trojans.. It's a basic trojan port.

    and who is scanning for BO these days... please... there are so many better trojans out there where you can even change the server port # ... but remmember this machine is unix....
    That's right it's unix, but they're still watching for scans.... Tons of ISPs do it.. And tons of people scan for BO.. if yer an admin and you don't think that's true... you aren't doing a good job and shouldn't have your job.... Let alone be hoping for a promotion... I can show you tons of of 31337 scans every day.

    i believe 70% that this is some kind of bore & inject hack job and i'm gonna level w/ you guys ... if i'm correct and i'm able to prove it i can get promotion and work w/ *nix web servers not stupid NT crap... and let's not forget the $.
    Now I'm just confused... The webserver isn't yours....and you insist it's *nix... so now why are you saying you will get to work with *nix web servers and forget about NT crap... do you even know what you are talking about anymore??

    If you are interested in helping me in this please pm me and i will give you the ip ... this goes for ppl that i know who will not damage the system or do anything malicious...ei (gore, phishphreak..... and others)
    I don't think anyone here trusts you and knows that.....

    i just have to say one more time... just look ... look at the nmap output... do you really think it's a pro job... telnet & ftp don't even have login disable after 3 attempts.... i can write a bash brute - forcing script in 5 minutes & let it run all night......
    You had to have tried that to find that out... That's not your job and once again this isn't your system.... Leave it alone and do your own job.

    what should i do... i'm not gonna try & crack the system. ... don't even suggest that... but i need to find out if the system isn't already cracked
    The system is not cracked.. if you think it is your an idiot who should not be an admin.. These guys host professionally.. They know what they are doing.. You obviously do not.. or you wouldn't be here asking for help....

    leave it alone and back off.
    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •