Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Security-Basics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Server Compromised ?

from [xyberpix] Network Security [Permanent Link]
Subject: Re: Server Compromised ?
Date: Sun, 29 Jan 2006 13:41:53 +0000 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

What I'd suggest on this one is running a sniffer for a little while on against all traffic to the server in question, and see what sort of data is coming in/going out. You may be able to gleam some more information from that.

Mail me off list if you'd like.


xyberpix

Blog: http://blogs.securiteam.com



On 26 Jan 2006, at 18:08, Daniel Gil wrote:


Iam a bit confused.

I have got two servers (let's say server A 123.123.123.123 & server B

123.123.123.124) behind my ISP firewall.

Both are W2k, and if I run 'netstat -an' I get similar results:

Server A

Proto Direccin local Direccin remota Estado
TCP 0.0.0.0:25 0.0.0.0:0 LISTENING
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING
TCP 0.0.0.0:110 0.0.0.0:0 LISTENING
TCP 0.0.0.0:554 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1044 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1057 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1058 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1059 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1061 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1063 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1065 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1068 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1080 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1082 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1085 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1097 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1098 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1102 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1144 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1148 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1149 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1150 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1162 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1171 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1172 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1177 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1178 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1179 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1186 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1187 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1352 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1503 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2751 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3584 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3587 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3591 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3601 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3604 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3607 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3612 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3615 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3619 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3622 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3627 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3630 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3635 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3638 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3645 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3648 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3649 0.0.0.0:0 LISTENING
TCP 0.0.0.0:8081 0.0.0.0:0 LISTENING
TCP 0.0.0.0:9093 0.0.0.0:0 LISTENING
TCP 0.0.0.0:63148 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1057 127.0.0.1:9092 ESTABLISHED
TCP 127.0.0.1:1058 127.0.0.1:9092 ESTABLISHED
TCP 127.0.0.1:1059 127.0.0.1:9092 ESTABLISHED
TCP 127.0.0.1:1061 127.0.0.1:9092 ESTABLISHED
TCP 127.0.0.1:1063 127.0.0.1:9092 ESTABLISHED
TCP 127.0.0.1:1065 127.0.0.1:9092 ESTABLISHED
TCP 127.0.0.1:1068 127.0.0.1:9092 ESTABLISHED
TCP 127.0.0.1:1080 127.0.0.1:9092 ESTABLISHED
TCP 127.0.0.1:1082 127.0.0.1:9092 ESTABLISHED
TCP 127.0.0.1:1085 127.0.0.1:9092 ESTABLISHED
TCP 127.0.0.1:1097 127.0.0.1:9092 ESTABLISHED
TCP 127.0.0.1:1102 127.0.0.1:9092 ESTABLISHED
TCP 127.0.0.1:1144 127.0.0.1:9092 ESTABLISHED
TCP 127.0.0.1:1148 127.0.0.1:9092 ESTABLISHED
TCP 127.0.0.1:1149 127.0.0.1:9092 ESTABLISHED
TCP 127.0.0.1:1162 127.0.0.1:9092 ESTABLISHED
TCP 127.0.0.1:1177 127.0.0.1:9092 ESTABLISHED
TCP 127.0.0.1:1178 127.0.0.1:9092 ESTABLISHED
TCP 127.0.0.1:1179 127.0.0.1:9092 ESTABLISHED
TCP 127.0.0.1:1186 127.0.0.1:1187 ESTABLISHED
TCP 127.0.0.1:1187 127.0.0.1:1186 ESTABLISHED
TCP 127.0.0.1:9092 0.0.0.0:0 LISTENING
TCP 127.0.0.1:9092 127.0.0.1:1057 ESTABLISHED
TCP 127.0.0.1:9092 127.0.0.1:1058 ESTABLISHED
TCP 127.0.0.1:9092 127.0.0.1:1059 ESTABLISHED
TCP 127.0.0.1:9092 127.0.0.1:1061 ESTABLISHED
TCP 127.0.0.1:9092 127.0.0.1:1063 ESTABLISHED
TCP 127.0.0.1:9092 127.0.0.1:1065 ESTABLISHED
TCP 127.0.0.1:9092 127.0.0.1:1068 ESTABLISHED
TCP 127.0.0.1:9092 127.0.0.1:1080 ESTABLISHED
TCP 127.0.0.1:9092 127.0.0.1:1082 ESTABLISHED
TCP 127.0.0.1:9092 127.0.0.1:1085 ESTABLISHED
TCP 127.0.0.1:9092 127.0.0.1:1097 ESTABLISHED
TCP 127.0.0.1:9092 127.0.0.1:1102 ESTABLISHED
TCP 127.0.0.1:9092 127.0.0.1:1144 ESTABLISHED
TCP 127.0.0.1:9092 127.0.0.1:1148 ESTABLISHED
TCP 127.0.0.1:9092 127.0.0.1:1149 ESTABLISHED
TCP 127.0.0.1:9092 127.0.0.1:1162 ESTABLISHED
TCP 127.0.0.1:9092 127.0.0.1:1177 ESTABLISHED
TCP 127.0.0.1:9092 127.0.0.1:1178 ESTABLISHED
TCP 127.0.0.1:9092 127.0.0.1:1179 ESTABLISHED
TCP 127.0.0.1:9094 0.0.0.0:0 LISTENING
TCP 127.0.0.1:12025 0.0.0.0:0 LISTENING
TCP 127.0.0.1:12080 0.0.0.0:0 LISTENING
TCP 127.0.0.1:12110 0.0.0.0:0 LISTENING
TCP 127.0.0.1:12119 0.0.0.0:0 LISTENING
TCP 127.0.0.1:12143 0.0.0.0:0 LISTENING
TCP 123.123.123.123:25 201.255.40.183:62323 TIME_WAIT
TCP 123.123.123.123:80 200.61.53.112:1492 FIN_WAIT_2
TCP 123.123.123.123:80 200.114.226.119:6686 TIME_WAIT
TCP 123.123.123.123:80 200.114.226.119:8151 TIME_WAIT
TCP 123.123.123.123:80 200.114.226.119:8229 TIME_WAIT
TCP 123.123.123.123:80 201.216.221.177:2285 TIME_WAIT
TCP 123.123.123.123:80 201.252.128.57:3370 TIME_WAIT
TCP 123.123.123.123:80 201.252.128.57:3390 TIME_WAIT
TCP 123.123.123.123:80 201.252.128.57:3420 TIME_WAIT
TCP 123.123.123.123:80 201.252.128.57:3422 TIME_WAIT
TCP 123.123.123.123:80 201.252.128.57:3424 TIME_WAIT
TCP 123.123.123.123:80 201.252.128.57:3435 TIME_WAIT
TCP 123.123.123.123:80 201.252.128.57:3441 TIME_WAIT
TCP 123.123.123.123:80 201.252.128.57:3444 TIME_WAIT
TCP 123.123.123.123:80 201.252.128.57:3492 TIME_WAIT
TCP 123.123.123.123:80 201.252.128.57:3537 TIME_WAIT
TCP 123.123.123.123:80 201.252.128.57:3545 TIME_WAIT
TCP 123.123.123.123:80 201.252.128.57:3567 TIME_WAIT
TCP 123.123.123.123:80 201.252.128.57:3579 TIME_WAIT
TCP 123.123.123.123:80 201.252.128.57:3593 TIME_WAIT
TCP 123.123.123.123:80 201.252.128.57:3600 TIME_WAIT
TCP 123.123.123.123:80 201.252.128.57:3628 TIME_WAIT
TCP 123.123.123.123:1150 123.123.123.123:8083 ESTABLISHED
TCP 123.123.123.123:1171 123.123.123.123:9093 ESTABLISHED
TCP 123.123.123.123:1172 123.123.123.123:9093 ESTABLISHED
TCP 123.123.123.123:1352 123.123.123.123:2751 ESTABLISHED
TCP 123.123.123.123:2751 123.123.123.123:1352 ESTABLISHED
TCP 123.123.123.123:8083 0.0.0.0:0 LISTENING
TCP 123.123.123.123:8083 123.123.123.123:1150 ESTABLISHED
TCP 123.123.123.123:9093 123.123.123.123:1171 ESTABLISHED
TCP 123.123.123.123:9093 123.123.123.123:1172 ESTABLISHED
UDP 123.123.123.123:500 *:*



SERVER B

<Some entries are lost>

TCP 0.0.0.0:1211 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1212 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1213 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1214 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1215 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1216 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1217 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1218 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1219 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1220 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1221 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1222 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1223 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1224 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1225 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1226 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1227 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1228 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1229 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1230 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1231 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1232 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1233 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1234 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1235 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1236 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1237 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1238 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1239 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1240 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1241 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1242 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1243 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1244 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1245 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1246 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1247 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1248 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1249 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1250 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1251 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1252 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1253 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1254 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1255 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1256 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1257 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1258 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1259 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1260 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1261 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1262 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1263 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1265 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1266 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1267 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1268 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1269 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1270 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1271 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1272 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1273 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1274 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1275 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1276 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1277 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1278 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1279 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1280 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1281 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1282 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1283 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1352 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1503 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1516 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1533 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1928 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1980 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2278 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2283 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2284 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2285 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2289 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2298 0.0.0.0:0 LISTENING
TCP 0.0.0.0:2443 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3525 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3527 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3750 0.0.0.0:0 LISTENING
TCP 0.0.0.0:4061 0.0.0.0:0 LISTENING
TCP 0.0.0.0:4144 0.0.0.0:0 LISTENING
TCP 0.0.0.0:4145 0.0.0.0:0 LISTENING
TCP 0.0.0.0:4146 0.0.0.0:0 LISTENING
TCP 0.0.0.0:8081 0.0.0.0:0 LISTENING
TCP 0.0.0.0:8082 0.0.0.0:0 LISTENING
TCP 0.0.0.0:8987 0.0.0.0:0 LISTENING
TCP 0.0.0.0:9093 0.0.0.0:0 LISTENING
TCP 127.0.0.1:445 127.0.0.1:4061 ESTABLISHED
TCP 127.0.0.1:1041 127.0.0.1:9092 ESTABLISHED
TCP 127.0.0.1:1042 127.0.0.1:9092 ESTABLISHED
TCP 127.0.0.1:1043 127.0.0.1:9092 ESTABLISHED
TCP 127.0.0.1:1045 127.0.0.1:9092 ESTABLISHED
TCP 127.0.0.1:1047 127.0.0.1:9092 ESTABLISHED
TCP 127.0.0.1:1048 127.0.0.1:9092 ESTABLISHED
TCP 127.0.0.1:1050 127.0.0.1:9092 ESTABLISHED
TCP 127.0.0.1:1063 127.0.0.1:9092 ESTABLISHED
TCP 127.0.0.1:1067 127.0.0.1:9092 ESTABLISHED
TCP 127.0.0.1:1071 127.0.0.1:9092 ESTABLISHED
TCP 127.0.0.1:1083 127.0.0.1:9092 ESTABLISHED
TCP 127.0.0.1:1089 127.0.0.1:9092 ESTABLISHED
TCP 127.0.0.1:1132 127.0.0.1:9092 ESTABLISHED
TCP 127.0.0.1:1133 127.0.0.1:9092 ESTABLISHED
TCP 127.0.0.1:1134 127.0.0.1:9092 ESTABLISHED
TCP 127.0.0.1:1144 127.0.0.1:9092 ESTABLISHED
TCP 127.0.0.1:1159 127.0.0.1:9092 ESTABLISHED
TCP 127.0.0.1:1164 127.0.0.1:9092 ESTABLISHED
TCP 127.0.0.1:1165 127.0.0.1:9092 ESTABLISHED
TCP 127.0.0.1:1172 127.0.0.1:1173 ESTABLISHED
TCP 127.0.0.1:1173 127.0.0.1:1172 ESTABLISHED
TCP 127.0.0.1:1190 127.0.0.1:1191 ESTABLISHED
TCP 127.0.0.1:1191 127.0.0.1:1190 ESTABLISHED
TCP 127.0.0.1:1192 127.0.0.1:1193 ESTABLISHED
TCP 127.0.0.1:1193 127.0.0.1:1192 ESTABLISHED
TCP 127.0.0.1:1194 127.0.0.1:1516 ESTABLISHED
TCP 127.0.0.1:1195 127.0.0.1:1196 ESTABLISHED
TCP 127.0.0.1:1196 127.0.0.1:1195 ESTABLISHED
TCP 127.0.0.1:1197 127.0.0.1:1198 ESTABLISHED
TCP 127.0.0.1:1198 127.0.0.1:1197 ESTABLISHED
TCP 127.0.0.1:1199 127.0.0.1:9092 ESTABLISHED
TCP 127.0.0.1:1200 127.0.0.1:1516 ESTABLISHED
TCP 127.0.0.1:1201 127.0.0.1:1202 ESTABLISHED
TCP 127.0.0.1:1202 127.0.0.1:1201 ESTABLISHED
TCP 127.0.0.1:1203 127.0.0.1:1204 ESTABLISHED
TCP 127.0.0.1:1204 127.0.0.1:1203 ESTABLISHED
TCP 127.0.0.1:1205 127.0.0.1:1516 ESTABLISHED
TCP 127.0.0.1:1206 127.0.0.1:1207 ESTABLISHED
TCP 127.0.0.1:1207 127.0.0.1:1206 ESTABLISHED
TCP 127.0.0.1:1208 127.0.0.1:1209 ESTABLISHED
TCP 127.0.0.1:1209 127.0.0.1:1208 ESTABLISHED
TCP 127.0.0.1:1210 127.0.0.1:1516 ESTABLISHED
TCP 127.0.0.1:1211 127.0.0.1:1212 ESTABLISHED
TCP 127.0.0.1:1212 127.0.0.1:1211 ESTABLISHED
TCP 127.0.0.1:1213 127.0.0.1:1214 ESTABLISHED
TCP 127.0.0.1:1214 127.0.0.1:1213 ESTABLISHED
TCP 127.0.0.1:1215 127.0.0.1:1516 ESTABLISHED
TCP 127.0.0.1:1216 127.0.0.1:1217 ESTABLISHED
TCP 127.0.0.1:1217 127.0.0.1:1216 ESTABLISHED
TCP 127.0.0.1:1218 127.0.0.1:1219 ESTABLISHED
TCP 127.0.0.1:1219 127.0.0.1:1218 ESTABLISHED
TCP 127.0.0.1:1220 127.0.0.1:1516 ESTABLISHED
TCP 127.0.0.1:1221 127.0.0.1:1222 ESTABLISHED
TCP 127.0.0.1:1222 127.0.0.1:1221 ESTABLISHED
TCP 127.0.0.1:1224 127.0.0.1:1225 ESTABLISHED
TCP 127.0.0.1:1225 127.0.0.1:1224 ESTABLISHED
TCP 127.0.0.1:1226 127.0.0.1:1516 ESTABLISHED
TCP 127.0.0.1:1227 127.0.0.1:1228 ESTABLISHED
TCP 127.0.0.1:1228 127.0.0.1:1227 ESTABLISHED
TCP 127.0.0.1:1230 127.0.0.1:1231 ESTABLISHED
TCP 127.0.0.1:1231 127.0.0.1:1230 ESTABLISHED
TCP 127.0.0.1:1232 127.0.0.1:1516 ESTABLISHED
TCP 127.0.0.1:1233 127.0.0.1:1234 ESTABLISHED
TCP 127.0.0.1:1234 127.0.0.1:1233 ESTABLISHED
TCP 127.0.0.1:1235 127.0.0.1:1236 ESTABLISHED
TCP 127.0.0.1:1236 127.0.0.1:1235 ESTABLISHED
TCP 127.0.0.1:1237 127.0.0.1:1516 ESTABLISHED
TCP 127.0.0.1:1238 127.0.0.1:1239 ESTABLISHED
TCP 127.0.0.1:1239 127.0.0.1:1238 ESTABLISHED
TCP 127.0.0.1:1240 127.0.0.1:1241 ESTABLISHED
TCP 127.0.0.1:1241 127.0.0.1:1240 ESTABLISHED
TCP 127.0.0.1:1242 127.0.0.1:1516 ESTABLISHED
TCP 127.0.0.1:1243 127.0.0.1:1244 ESTABLISHED
TCP 127.0.0.1:1244 127.0.0.1:1243 ESTABLISHED
TCP 127.0.0.1:1245 127.0.0.1:1246 ESTABLISHED
TCP 127.0.0.1:1246 127.0.0.1:1245 ESTABLISHED
TCP 127.0.0.1:1247 127.0.0.1:1516 ESTABLISHED
TCP 127.0.0.1:1248 127.0.0.1:1249 ESTABLISHED
TCP 127.0.0.1:1249 127.0.0.1:1248 ESTABLISHED
TCP 127.0.0.1:1250 127.0.0.1:1251 ESTABLISHED
TCP 127.0.0.1:1251 127.0.0.1:1250 ESTABLISHED
TCP 127.0.0.1:1252 127.0.0.1:1516 ESTABLISHED
TCP 127.0.0.1:1253 127.0.0.1:1254 ESTABLISHED
TCP 127.0.0.1:1254 127.0.0.1:1253 ESTABLISHED
TCP 127.0.0.1:1255 127.0.0.1:1256 ESTABLISHED
TCP 127.0.0.1:1256 127.0.0.1:1255 ESTABLISHED
TCP 127.0.0.1:1257 127.0.0.1:1516 ESTABLISHED
TCP 127.0.0.1:1258 127.0.0.1:1259 ESTABLISHED
TCP 127.0.0.1:1259 127.0.0.1:1258 ESTABLISHED
TCP 127.0.0.1:1260 127.0.0.1:1261 ESTABLISHED
TCP 127.0.0.1:1261 127.0.0.1:1260 ESTABLISHED
TCP 127.0.0.1:1262 127.0.0.1:1263 ESTABLISHED
TCP 127.0.0.1:1263 127.0.0.1:1262 ESTABLISHED
TCP 127.0.0.1:1265 127.0.0.1:1266 ESTABLISHED
TCP 127.0.0.1:1266 127.0.0.1:1265 ESTABLISHED
TCP 127.0.0.1:1267 127.0.0.1:1268 ESTABLISHED
TCP 127.0.0.1:1268 127.0.0.1:1267 ESTABLISHED
TCP 127.0.0.1:1269 127.0.0.1:1516 ESTABLISHED
TCP 127.0.0.1:1270 127.0.0.1:1271 ESTABLISHED
TCP 127.0.0.1:1271 127.0.0.1:1270 ESTABLISHED
TCP 127.0.0.1:1272 127.0.0.1:1516 ESTABLISHED
TCP 127.0.0.1:1273 127.0.0.1:1274 ESTABLISHED
TCP 127.0.0.1:1274 127.0.0.1:1273 ESTABLISHED
TCP 127.0.0.1:1275 127.0.0.1:1516 ESTABLISHED
TCP 127.0.0.1:1276 127.0.0.1:1277 ESTABLISHED
TCP 127.0.0.1:1277 127.0.0.1:1276 ESTABLISHED
TCP 127.0.0.1:1278 127.0.0.1:1279 ESTABLISHED
TCP 127.0.0.1:1279 127.0.0.1:1278 ESTABLISHED
TCP 127.0.0.1:1280 127.0.0.1:1516 ESTABLISHED
TCP 127.0.0.1:1281 127.0.0.1:1282 ESTABLISHED
TCP 127.0.0.1:1282 127.0.0.1:1281 ESTABLISHED
TCP 127.0.0.1:1283 127.0.0.1:1516 ESTABLISHED
TCP 127.0.0.1:1516 127.0.0.1:1194 ESTABLISHED
TCP 127.0.0.1:1516 127.0.0.1:1200 ESTABLISHED
TCP 127.0.0.1:1516 127.0.0.1:1205 ESTABLISHED
TCP 127.0.0.1:1516 127.0.0.1:1210 ESTABLISHED
TCP 127.0.0.1:1516 127.0.0.1:1215 ESTABLISHED
TCP 127.0.0.1:1516 127.0.0.1:1220 ESTABLISHED
TCP 127.0.0.1:1516 127.0.0.1:1226 ESTABLISHED
TCP 127.0.0.1:1516 127.0.0.1:1232 ESTABLISHED
TCP 127.0.0.1:1516 127.0.0.1:1237 ESTABLISHED
TCP 127.0.0.1:1516 127.0.0.1:1242 ESTABLISHED
TCP 127.0.0.1:1516 127.0.0.1:1247 ESTABLISHED
TCP 127.0.0.1:1516 127.0.0.1:1252 ESTABLISHED
TCP 127.0.0.1:1516 127.0.0.1:1257 ESTABLISHED
TCP 127.0.0.1:1516 127.0.0.1:1269 ESTABLISHED
TCP 127.0.0.1:1516 127.0.0.1:1272 ESTABLISHED
TCP 127.0.0.1:1516 127.0.0.1:1275 ESTABLISHED
TCP 127.0.0.1:1516 127.0.0.1:1280 ESTABLISHED
TCP 127.0.0.1:1516 127.0.0.1:1283 ESTABLISHED
TCP 127.0.0.1:1516 123.123.123.124:1264 ESTABLISHED
TCP 127.0.0.1:4061 127.0.0.1:445 ESTABLISHED
TCP 127.0.0.1:9092 0.0.0.0:0 LISTENING
TCP 127.0.0.1:9092 127.0.0.1:1041 ESTABLISHED
TCP 127.0.0.1:9092 127.0.0.1:1042 ESTABLISHED
TCP 127.0.0.1:9092 127.0.0.1:1043 ESTABLISHED
TCP 127.0.0.1:9092 127.0.0.1:1045 ESTABLISHED
TCP 127.0.0.1:9092 127.0.0.1:1047 ESTABLISHED
TCP 127.0.0.1:9092 127.0.0.1:1048 ESTABLISHED
TCP 127.0.0.1:9092 127.0.0.1:1050 ESTABLISHED
TCP 127.0.0.1:9092 127.0.0.1:1063 ESTABLISHED
TCP 127.0.0.1:9092 127.0.0.1:1067 ESTABLISHED
TCP 127.0.0.1:9092 127.0.0.1:1071 ESTABLISHED
TCP 127.0.0.1:9092 127.0.0.1:1083 ESTABLISHED
TCP 127.0.0.1:9092 127.0.0.1:1089 ESTABLISHED
TCP 127.0.0.1:9092 127.0.0.1:1132 ESTABLISHED
TCP 127.0.0.1:9092 127.0.0.1:1133 ESTABLISHED
TCP 127.0.0.1:9092 127.0.0.1:1134 ESTABLISHED
TCP 127.0.0.1:9092 127.0.0.1:1144 ESTABLISHED
TCP 127.0.0.1:9092 127.0.0.1:1159 ESTABLISHED
TCP 127.0.0.1:9092 127.0.0.1:1164 ESTABLISHED
TCP 127.0.0.1:9092 127.0.0.1:1165 ESTABLISHED
TCP 127.0.0.1:9092 127.0.0.1:1199 ESTABLISHED
TCP 127.0.0.1:9094 0.0.0.0:0 LISTENING
TCP 123.123.123.124:25 85.250.57.67:1278 TIME_WAIT
TCP 123.123.123.124:25 201.25.170.200:4174 TIME_WAIT
TCP 123.123.123.124:110 200.59.34.91:1050 TIME_WAIT
TCP 123.123.123.124:110 200.59.34.91:2089 TIME_WAIT
TCP 123.123.123.124:110 200.59.34.91:2090 TIME_WAIT
TCP 123.123.123.124:110 200.59.34.91:2091 TIME_WAIT
TCP 123.123.123.124:1153 123.123.123.124:9093 ESTABLISHED
TCP 123.123.123.124:1154 123.123.123.124:9093 ESTABLISHED
TCP 123.123.123.124:1160 123.123.123.124:8083 ESTABLISHED
TCP 123.123.123.124:1223 123.123.123.124:1516 ESTABLISHED
TCP 123.123.123.124:1229 123.123.123.124:1516 ESTABLISHED
TCP 123.123.123.124:1264 0.0.0.0:0 LISTENING
TCP 123.123.123.124:1264 127.0.0.1:1516 ESTABLISHED
TCP 123.123.123.124:1352 200.43.70.147:1034 ESTABLISHED
TCP 123.123.123.124:1352 200.43.70.147:1110 ESTABLISHED
TCP 123.123.123.124:1352 200.43.70.147:1145 ESTABLISHED
TCP 123.123.123.124:1352 200.43.70.147:1157 ESTABLISHED
TCP 123.123.123.124:1352 200.43.70.147:1180 ESTABLISHED
TCP 123.123.123.124:1352 200.43.70.147:1473 ESTABLISHED
TCP 123.123.123.124:1352 200.59.34.91:2301 ESTABLISHED
TCP 123.123.123.124:1352 123.123.123.124:3750 ESTABLISHED
TCP 123.123.123.124:1352 123.123.123.124:4144 ESTABLISHED
TCP 123.123.123.124:1352 123.123.123.124:4145 ESTABLISHED
TCP 123.123.123.124:1352 123.123.123.124:4146 ESTABLISHED
TCP 123.123.123.124:1516 123.123.123.124:1223 ESTABLISHED
TCP 123.123.123.124:1516 123.123.123.124:1229 ESTABLISHED
TCP 123.123.123.124:1533 200.43.70.147:1501 ESTABLISHED
TCP 123.123.123.124:3750 123.123.123.124:1352 ESTABLISHED
TCP 123.123.123.124:4066 200.43.70.147:1352 TIME_WAIT
TCP 123.123.123.124:4088 200.43.70.147:1352 TIME_WAIT
TCP 123.123.123.124:4144 123.123.123.124:1352 ESTABLISHED
TCP 123.123.123.124:4145 123.123.123.124:1352 ESTABLISHED
TCP 123.123.123.124:4146 123.123.123.124:1352 ESTABLISHED
TCP 123.123.123.124:4535 200.59.34.91:1352 TIME_WAIT
TCP 123.123.123.124:4536 200.43.70.147:1352 TIME_WAIT
TCP 123.123.123.124:8083 0.0.0.0:0 LISTENING
TCP 123.123.123.124:8083 123.123.123.124:1160 ESTABLISHED
TCP 123.123.123.124:9093 123.123.123.124:1153 ESTABLISHED
TCP 123.123.123.124:9093 123.123.123.124:1154 ESTABLISHED
UDP 123.123.123.124:500 *:*


If i run nmap from a machine inside this subnet I got for server A:


serverD:~ # nmap -sT -p5-65535 123.123.123.123

Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2006-01-26 13:59
ART
Strange read error from 123.123.123.123 (104): Operation now in progress

<Lots of this>

Strange read error from 123.123.123.123 (104): Illegal seek

<Some of this>

Interesting ports on xxxxxx.xxxxxx.com (123.123.123.123):
(The 65473 ports scanned but not shown below are in state: closed)
Port       State       Service
25/tcp     open        smtp
80/tcp     open        http
110/tcp    open        pop-3
554/tcp    open        rtsp
1044/tcp   open        unknown
1057/tcp   open        unknown
1058/tcp   open        nim
1059/tcp   open        nimreg
1061/tcp   open        unknown
1063/tcp   open        unknown
1065/tcp   open        unknown
1068/tcp   open        instl_bootc
1080/tcp   open        socks
1082/tcp   open        unknown
1085/tcp   open        unknown
1097/tcp   open        unknown
1098/tcp   open        unknown
1102/tcp   open        unknown
1144/tcp   open        unknown
1148/tcp   open        unknown
1149/tcp   open        unknown
1150/tcp   open        unknown
1162/tcp   open        unknown
1171/tcp   open        unknown
1172/tcp   open        unknown
1177/tcp   open        unknown
1178/tcp   open        skkserv
1179/tcp   open        unknown
1186/tcp   open        unknown
1187/tcp   open        unknown
1352/tcp   open        lotusnotes
1503/tcp   open        imtc-mcs
2751/tcp   open        unknown
3919/tcp   open        unknown
3921/tcp   open        unknown
3924/tcp   open        unknown
3926/tcp   open        unknown
3927/tcp   open        unknown
3928/tcp   open        unknown
3939/tcp   open        unknown
3942/tcp   open        unknown
3989/tcp   open        unknown
3993/tcp   open        unknown
3998/tcp   open        unknown
4001/tcp   open        unknown
4006/tcp   open        unknown
4009/tcp   open        unknown
4014/tcp   open        unknown
4017/tcp   open        unknown
4018/tcp   open        unknown
4020/tcp   open        unknown
4025/tcp   open        unknown
8081/tcp   open        blackice-icecap
8083/tcp   open        unknown
9093/tcp   open        unknown
63148/tcp  open        unknown

Nmap run completed -- 1 IP address (1 host up) scanned in 11.533 seconds

And for server B:

ServerD:~ # nmap -sT -p5-65535 123.123.123.124

Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2006-01-26 14:03
ART
Interesting ports on yyyyy.yyyyy.com (123.123.123.124):
(The 65513 ports scanned but not shown below are in state: closed)
Port State Service
25/tcp open smtp
80/tcp open http
110/tcp open pop-3
143/tcp open imap2
554/tcp open rtsp
1025/tcp open NFS-or-IIS
1352/tcp open lotusnotes
1503/tcp open imtc-mcs
1516/tcp open vpad
1533/tcp open virtual-places
8081/tcp open blackice-icecap
8082/tcp open blackice-alerts
8987/tcp open unknown
9093/tcp open unknown

Nmap run completed -- 1 IP address (1 host up) scanned in 16.718 seconds

The ports open on server B are Ok. I know who is listening in each one.

But I can't say the same about server A.

if I do a telnet from server B to A, to any port listed in nmap in which I
know

(or at least believe to know) there shouldn't be any service listening
(lets say

port 2751) i get this:

serverA:~ # telnet 123.123.123.124 2751
Trying 123.123.123.124...
Connected to 123.123.123.124.
Escape character is '^]'.
Connection closed by foreign host.
serverA:~ #

I have some questions that I can't answer yet:

1.- What is the real meaning of all those ports open in both machines at
address

0.0.0.0 ?. It's ok have to many ?.

2.- Who/what is listening in port 2751 (and in others ones) on server A?

Any help/hint will be apreciated !!!

I have run Antivirus & Antispyware without any successfull in server A.


---------------------------------------------------------------------- -----
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management
education and the case study affords you unmatched consulting experience.
Tailor your education to your own professional goals with degree
customizations including Emergency Management, Business Continuity Planning,
Computer Emergency Response Teams, and Digital Investigations.

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------- -----


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFD3MYi2VKEoIQBZwkRApE3AKDJgjxI0vHLBEN328r5fVJKjtbdNQCguQ+B
B5FXyVE0+8SPu6hnvPOO8gU=
=Ylji
-----END PGP SIGNATURE-----

---------------------------------------------------------------------------
EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE
The Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations. 

http://www.msia.norwich.edu/secfocus
---------------------------------------------------------------------------

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: System Monitor, xyberpix
Next by Date:  RE: Re: University Degree or CISSP, Hytham Abu-Safieh
Previous by Thread:  Re: Server Compromised ?, Leif Ericksen
Next by Thread:  Re: Server Compromised ?, Daniel Gil
Indexes:  [Date] [Thread] [Top] [All Lists]