Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Server Compromised ?

from [List Spam] Network Security [Permanent Link]
Subject: Re: Server Compromised ?
Date: Fri, 27 Jan 2006 07:25:36 -0800 
On 1/26/06, Daniel Gil <Daniel.Gil@itcon.com.ar> wrote:


Iam a bit confused.



<snip>


I have some questions that I can't answer yet:

1.- What is the real meaning of all those ports open in both machines at
address

0.0.0.0 ?. It's ok have to many ?.


0.0.0.0 simply means "all addresses".  Therefore, anything listening
on 0.0.0.0 will be served on any IP defined on your box.  As to if
it's okay to have that many, you need to find out the expected ports
for all services you know you want running on it, then compare.  If
you don't expect it, then it's not okay.


2.- Who/what is listening in port 2751 (and in others ones) on server A?


There are standard port definitions (e.g. 80/tcp for HTTP), but you
can make any service listen on any port supported by the protocol
(e.g. 8080/tcp for HTTP).  Since these are W2K boxes, the included
version of NETSTAT.EXE does not have the "-o" switch, which tiese the
port to a PID.  A freeware utility from SysInternals, called TCPVIEW
will provide this functionality in a nice little GUI for you.  Google
for it.  Many of their tools are quite valuable in sorting through
these kind of things - beyond simple identification of a listening
process.  Other tools exist for this purpose as well.  Google for
Foundstone and check out their freeware too.


Any help/hint will be apreciated !!!

I have run Antivirus & Antispyware without any successfull in server A.


Does the software not run successfully or simply does not report
anything untoward?  Either way, if you suspect the box is compromised,
don't trust the output.  If you prove the box is uncompromised, either
fix your AV/Spyware software (if the former condition is true), or
take the output as verification the box is not compromised (if the
latter is true).

My two cents.

RE

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management 
education and the case study affords you unmatched consulting experience. 
Tailor your education to your own professional goals with degree 
customizations including Emergency Management, Business Continuity Planning, 
Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: www.readnotify.com, Ebeling, Jr., Herman Frederick
Next by Date:  Re: Server Compromised ?, Leif Ericksen
Previous by Thread:  Re: Server Compromised ?, Ansgar -59cobalt- Wiechers
Next by Thread:  Re: Server Compromised ?, Leif Ericksen
Indexes:  [Date] [Thread] [Top] [All Lists]