Help with Possible Security Hole?

[rburke]

Hello all Linux gurus,

I've recently setup 2 servers in colocation and I'm working on locking them down now. When I ran an nmap on the servers the following ports are found "filtered", but I don't even know what they are for or why they are even open.

[root@hostname root]# nmap -sS -O a.b.c.d

Starting nmap V. 2.54BETA31 (

http://www.insecure.org/nmap/

)
Interesting ports on a-b-c-d-rev.dns.net (a.b.c.d):
(The 1549 ports scanned but not shown below are in state: closed)
Port State Service
22/tcp open ssh
6666/tcp filtered irc-serv
6667/tcp filtered irc
6668/tcp filtered irc
7000/tcp filtered afs3-fileserver

Remote operating system guess: Linux Kernel 2.4.0 - 2.4.17 (X86)
Uptime 2.015 days (since Fri Oct 10 15:54:31 2003)

Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds


What services would be opening those irc ports??? I don't have any kind of irc server or even clients running.

Thanks,

Burke

 

[mrmac228]

Found this using Google, perhaps more worrying than useful

http://www.torontotechcenter.com/ports6001_7000.shtml

I love deadlines. I like the whooshing sound they make as they fly by.

Douglas Adams

 

[lullysing]

mmmm....

What's the SSH version you running ? Several root-level exploits were discovered in ssh recently. Some punk must have probably come in from those, and put a IRC-bot on your machine.



_____________________________
when someone asks for your username and password, and much *clickely clickely* is happening in the background, know enough that you should be worried.

 

[rburke]

I just updated all the packages on the system. Heres the SSH output:

[root@localhost etc]# ssh -V
OpenSSH_3.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090602f


Thanks for the help, anyone know how to track down a irc bot, if it is installed? I've checked the last logins, current processes and netstat all to no avail of where these are coming from.

Thanks,
Burke

 

[lullysing]

If there's a rootkit that has been run on your box, forget finding anything using system-side tools.

A well constructed rootkit will get root on your system, replace key system utilities with trojanned versions ( ex : replace netstat, ps, top, ls, etc with versions that will lie to you).

You will need "clean" tool, compiled from source that actually matches the md5 checksum from GNU. There is a way to find out if the system is lying to you by looking into the /proc filesystem, but once again, I suggest doing so with non-trojanned tools.

Now ask yourself : if you find that the clean tools tell you the truth, Do you want to start investing time with this ( finding out about everything) , or you just wanna get this thing over with, and just wipe the box ( while keeping ssh up to date...hopefully) and get the machine running ASAP.

You had backups, right?


_____________________________
when someone asks for your username and password, and much *clickely clickely* is happening in the background, know enough that you should be worried.