really, really weird... need reply

[unhappyStar_7]

You may remember my problem from before. This is another, really weird chapter. I've been recently asigned to administer 24 workstation inter-office network; all NT & 2000. One of my users have been visiting amature cracking sites and browsing the internet on company time way too much. He's also downloaded 'netcat', windows version of 'john the ripper' & YAPS (shitty windows port scanner) Before I did anything I wanted to see more "not -so-cool" activity. I wanted him to do something... back to that later

The company public web site hasn't been contracted out to my company. Instead the PR dep. recruited a "web design" company which also hosts the server. Even though this is not my job, I decided to "namp" the machine. Here are the results w/ the "-sS -O" options!

21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
80/tcp open http
110/tcp open pop-3
113/tcp open auth
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
143/tcp open imap2
144/tcp open news
161/tcp filtered snmp
306/tcp open unknown
307/tcp open unknown
443/tcp open https
513/tcp open 21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
80/tcp open http
110/tcp open pop-3
113/tcp open auth
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
143/tcp open imap2
144/tcp open news
161/tcp filtered snmp
306/tcp open unknown
307/tcp open unknown
443/tcp open https
513/tcp open login
514/tcp open shell
543/tcp open klogin
544/tcp open kshell
1112/tcp filtered msql
2105/tcp open eklogin
3333/tcp filtered dec-notes
4333/tcp filtered msql
5000/tcp filtered fics
6666/tcp filtered irc-serv
6667/tcp filtered irc
6668/tcp filtered irc
7000/tcp filtered afs3-fileserver
7001/tcp filtered afs3-callback
7007/tcp filtered afs3-bos
31337/tcp filtered Elite login
514/tcp open shell
543/tcp open klogin
544/tcp open kshell
1112/tcp filtered msql
2105/tcp open eklogin
3333/tcp filtered dec-notes
4333/tcp filtered msql
5000/tcp filtered fics
6666/tcp filtered irc-serv
6667/tcp filtered irc
6668/tcp filtered irc
7000/tcp filtered afs3-fileserver
7001/tcp filtered afs3-callback
7007/tcp filtered afs3-bos
31337/tcp filtered Elite

Firs of all the box confuses the hell out of nmap's OS detection. But I'd think it's a safe bet it's *nix system. Is this system hacked. Look at the damn 31337 port open it's even named Elite. Why is IRC running on this company system... any advice

[waverebel]

The best way to find out is simply to ask them, say that you were following up on suspicious activity. Also if you think it is one of your users that has done this then you have a responsibility to inform them asap.

I feel I should point out gathering some proof may be a good idea, you should look at your proxy/firewall logs (if the box is outside your network), as the downloading of some cracking tools is merely circumstancial.

Sorry I can't give you a good analysis of the nmap scan, but I agree it does look very suspect at face value.

[HTRegz]

Many companies run IRC servers... that's not that big of a deal.... Also the BO Port (31337) is filtered.. I'm guessing their catching people scanning their network for the port.

I wouldn't be too concerned about the port listing on the system... They are a webdesign/hosting company.. and more than likely they offer other services to the public.... Also you are in the wrong, you never should have scanned a system that isn't your own and has nothing to do with you. They may host your company's website but that's your only relationship with them.... Stay away from their system is my advice to you... it's better for you, for their company and saves their admins the headaches of having to figure out why they are being port scanned.....

[prodikal]

In short it aint hacked and by the looks of the port scan its running some type of firewall so congrats you made the logs notice the filtered state ? that means there is some sort of firewall in place you can use the -sA switch with "nmap" to check for firewall rules

[gore]

DEAR GOD!

This box has more openings than swiss cheese!

port 31337 is a trojan port for sure.

Also, if you have permission, try telnetting into this box and see if it lets you in. If your the admin it should be ok but check first so you dont get yourself in any trouble. Any concerned admin would have a field day with this machine.


Remember though get all permission you need before conducting any tests IN WRITING unless you trust them and they say ok.

What is this machine supposed to be doing? As for your little co worker who is surfing hacking sites and doing things he shouldnt be, please refer to my Bastard sys admin from Michigan stories for things to do.

[Nimh]

Does your company have any rules/regs regarding 'Appropriate use of the Internet'? If so, are d/l inguch installed programs, against said regulations? I would hope the answer to these questions is yes.

If so, inform the user that the downloaded programs are in violation of the 'Accpetable Use' policy, and should remove them.

[FrameWork]

Yeah TCP port 31337 is a trojan port(also unassigned).

It can play host to:

BackOrifice.120
Kahled.100
OPC.200

[unhappyStar_7]

quote "many companies run IRC"... not in this case, there is no need what so ever for this company to run IRC... you are gonna have to trust me on that one...

if and if, the IRC ports would be legitimate (personally i think this is a zombie) why in the world would they be filtered... please ... if you wanna have interdepartmental communication you are NOT gonna run IRC for that...

the telnet banner grab gives me "FreeBSD i386" ... BUT that doesn't fit in w/ the whole 31337 thing...

31337... i know, i know... the first thing that came to my mind was that it's win box w/ a trojan but (look above) it's not .. i repeate it's not a windows box....

i'm gonna level w/ you... personally i think this system has way too many ports open... if this IS a professional job than this box has to be running OpenBSD w/ honey pot of some kind on a cluster.... if not than it's way to open and it's way too overloaded...

and who is scanning for BO these days... please... there are so many better trojans out there where you can even change the server port # ... but remmember this machine is unix....

i believe 70% that this is some kind of bore & inject hack job and i'm gonna level w/ you guys ... if i'm correct and i'm able to prove it i can get promotion and work w/ *nix web servers not stupid NT crap... and let's not forget the $.

If you are interested in helping me in this please pm me and i will give you the ip ... this goes for ppl that i know who will not damage the system or do anything malicious...ei (gore, phishphreak..... and others)

i just have to say one more time... just look ... look at the nmap output... do you really think it's a pro job... telnet & ftp don't even have login disable after 3 attempts.... i can write a bash brute - forcing script in 5 minutes & let it run all night......

what should i do... i'm not gonna try & crack the system. ... don't even suggest that... but i need to find out if the system isn't already cracked

[gore]

There is trojan tools for Free BSD, last time i installed they offer the netbus tools and **** right on the CDs. So this isnt out of the question. I think being paranoid is also a good thing. a good admin needs medication for his nerves because hes worried...lol ok its half true but anyway i think you should contact them and ask "hey whats going on i got lusers acessing bad sites and a box fulla openings why?"

[HTRegz]

Originally posted here by unhappyStar_7
quote "many companies run IRC"... not in this case, there is no need what so ever for this company to run IRC... you are gonna have to trust me on that one...

if and if, the IRC ports would be legitimate (personally i think this is a zombie) why in the world would they be filtered... please ... if you wanna have interdepartmental communication you are NOT gonna run IRC for that...

It's not your company, so how do you know what their needs are... maybe one of the guys runs an IRC server for him and his friends.. and it's filtered because it has an ACL to only allow certain people to connect.. A friend of mine used to admin a hosting company and that was what he did.. had his IRC server running their set-up to only accept certain connections..

the telnet banner grab gives me "FreeBSD i386" ... BUT that doesn't fit in w/ the whole 31337 thing...

31337... i know, i know... the first thing that came to my mind was that it's win box w/ a trojan but (look above) it's not .. i repeate it's not a windows box....

i'm gonna level w/ you... personally i think this system has way too many ports open... if this IS a professional job than this box has to be running OpenBSD w/ honey pot of some kind on a cluster.... if not than it's way to open and it's way too overloaded...

Why does the box have to be running OpenBSD to be professional??? I can show you a professional system set-up on any OS. It's quite possibly a series of Honeypots and once again 31337 could be detecting scans for BO and other trojans.. It's a basic trojan port.

and who is scanning for BO these days... please... there are so many better trojans out there where you can even change the server port # ... but remmember this machine is unix....

That's right it's unix, but they're still watching for scans.... Tons of ISPs do it.. And tons of people scan for BO.. if yer an admin and you don't think that's true... you aren't doing a good job and shouldn't have your job.... Let alone be hoping for a promotion... I can show you tons of of 31337 scans every day.

i believe 70% that this is some kind of bore & inject hack job and i'm gonna level w/ you guys ... if i'm correct and i'm able to prove it i can get promotion and work w/ *nix web servers not stupid NT crap... and let's not forget the $.

Now I'm just confused... The webserver isn't yours....and you insist it's *nix... so now why are you saying you will get to work with *nix web servers and forget about NT crap... do you even know what you are talking about anymore??

If you are interested in helping me in this please pm me and i will give you the ip ... this goes for ppl that i know who will not damage the system or do anything malicious...ei (gore, phishphreak..... and others)

I don't think anyone here trusts you and knows that.....

i just have to say one more time... just look ... look at the nmap output... do you really think it's a pro job... telnet & ftp don't even have login disable after 3 attempts.... i can write a bash brute - forcing script in 5 minutes & let it run all night......

You had to have tried that to find that out... That's not your job and once again this isn't your system.... Leave it alone and do your own job.

what should i do... i'm not gonna try & crack the system. ... don't even suggest that... but i need to find out if the system isn't already cracked

The system is not cracked.. if you think it is your an idiot who should not be an admin.. These guys host professionally.. They know what they are doing.. You obviously do not.. or you wouldn't be here asking for help....

leave it alone and back off.