Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: How do I handle this...

  1. #1
    Junior Member
    Join Date
    Aug 2005
    Posts
    18

    How do I handle this...

    I currently work for a company that manages the internet connections of about 1200 hotels across the US. My job requires me to answer support calls and do basic troubleshooting on our severs installed in hotels.

    When I started working at the company I noticed a large amount of spam coming into our mail boxes from the company exchange server. This of course is annoying and makes my day just a little more misrable then it has to be. I decided to start doing a personal audit of our companys security and found
    port 4444 sitting open on our companys exchange server.

    Our company runs linux/open bsd on most of its equipment with cisco equipment linking it all. It looks like a solid setup from my probeing but this port really bothers me.

    How do I determine exactly what is going on here with the open port on the server... every port list I have consulted says that this is a known port for RATs and if this server has been "owned" then every other server in the network is in trouble. If this really is a problem I need to know how to let my company know in a way which is going to get their attention. The managers I have made aware about this have shown little to no intrest and I think something is being missed.

    Anyone been here before?

    FN-

  2. #2
    show them some websites with warnings to that port...

    http://www.auditmypc.com/port/tcp-port-4444.asp

    or get apacket sniffer and see if anythings going on there....
    O.G at A.O

  3. #3
    Senior Member WolfeTone's Avatar
    Join Date
    Jun 2007
    Location
    Ireland
    Posts
    197
    Stick on a packet sniffer (ethereal) and see what traffic is going out over this port, it's source and destination.

    Try do disable this port if you are sure nothing legit is using it and see if anyone complains about not being able to do anything.

  4. #4
    Senior Member t34b4g5's Avatar
    Join Date
    Sep 2003
    Location
    Australia.
    Posts
    2,391

    Thumbs down

    Just close it up, and if no one complains then it's safe to leave closed, but i doubt that there is any valid reason in why it should of been left wide open in the first place..

  5. #5
    Senior Member Aardpsymon's Avatar
    Join Date
    Feb 2007
    Location
    St Annes (aaaa!)
    Posts
    434
    yeah, close it up.

    If you want some impact, point out that in recent cases people have been sued over spam and if you have a compromised server you might be next.
    If the world doesn't stop annoying me I will name my kids ";DROP DATABASE;" and get revenge.

  6. #6
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    What OS? If its XP SP2 or Server 2k3, try from a command prompt: netstat -nab

    If its some other windows OS, try downloading Fport from foundstone: Here

    Both of these will tell you what program has what port open...keep in mind that if there is a rootkit installed, you may not be able to trust netstat, in which case fport should be used...

    This should at least provide a clue as to what has the port open...just at a glance, metasploit defaults to tcp/4444 quite frequently...should definitely look a little harder to see what is going on...
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  7. #7
    Webius Designerous Indiginous
    Join Date
    Mar 2002
    Location
    South Florida
    Posts
    1,123
    You may also want to check to make sure that the firewalls are not blocking this port by default. Sure, it may be open "inside" the network, but is it open from "outside" the network is probably a better question.

    If it is open from outside the network, then you definetly have a problem.

  8. #8
    Right turn Clyde Nokia's Avatar
    Join Date
    Aug 2003
    Location
    Button Moon
    Posts
    1,696
    My first thought whenever I see port 4444 open is Metasplolit...almost every payload will use port 4444 for the return shell.

    It certainly does not need to be open on an exchange server for normal operation - have you tried to telnet to it and grab a banner - it may give you more of an insight - also try browsing to it with your web browser or even using Xprobe2 or Nmap to try and determine a service.

    Either way no legitimate application will use port 4444 due to the stigma that surrounds it.

    My guess is that you do not have admin access to the Exchange server so you will be unable to investigate it from a server point of view which only really leaves the options I mentioned above open to you- personally I would recommend you raise this with your domain admin as soon as you can and let him look into it - go direct to the person who is responsible for the mail server instead of your managers as he will have a vested interest in looking after the mail server.......

  9. #9
    Junior Member
    Join Date
    Aug 2005
    Posts
    18

    Thanks

    Your are correct is guessing that I don't have admin rights to this box. I had to use wireshark and nmap to find this port and it was done from my computer at home using wireshark via our webmail.

    I'm gonna do some research on Metasplolit and see if it helps me figure out more about this.

    Thanks.

    FN-

  10. #10
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915
    My suggestion is to walk away...

    You are probing your company's resources without permission... Depending on your Sys Admins you could find yourself without a job. Depending on where you live you could also be breaking the law...

    If you really want to do something about it... Go to an internet cafe, see if the port is available from the internet (or if it's only on the LAN) and send an email from a throw away anonymous email account to the sys admin... Then forget about it.

Similar Threads

  1. Windows Error Messages
    By cheyenne1212 in forum Miscellaneous Security Discussions
    Replies: 7
    Last Post: February 1st, 2012, 02:51 PM
  2. Hacker Handle Generator
    By MrLinus in forum Tech Humor
    Replies: 36
    Last Post: May 28th, 2004, 08:51 AM
  3. Change Handle (Username)
    By Trust_Not_123 in forum Site Feedback/Questions/Suggestions
    Replies: 16
    Last Post: May 6th, 2003, 04:46 PM
  4. 80x86 Assembly with Masm: Tutorial IV
    By Cheeseball in forum Other Tutorials Forum
    Replies: 10
    Last Post: January 9th, 2003, 03:39 PM
  5. The Worlds Longest Thread!
    By Noble Hamlet in forum AntiOnline's General Chit Chat
    Replies: 1100
    Last Post: March 17th, 2002, 09:38 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •