Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
Netspy port 1024
- Thread starter axman505
- Start date
Hi,
You could say it was a trojan I guess - sounds more like spyware to me --> If you can read norwegian see here too -->
Regards
You could say it was a trojan I guess - sounds more like spyware to me --> If you can read norwegian see here too -->
Regards
- Thread starter
- #3
Hi,
Why do you say its netspy ? Is it just because that is listed as the most likely trojan on port 1024 or is there some 'evidence' on the box ? Actually, all of the stuff that uses 1024 by default seems to be windows based. However, lots of trojans can be configured to run on any port you like so its not that easy to know what it is just from the port.
Have you tried logging - you just add an identical rule before the 'drop' rule with target '-j LOG' .
The other thing to do is (as root) :
/usr/sbin/lsof -i TCP:1024
To see whats listening on that port ...
I have seen it said that KDM (KDE display manager) uses port 1024 so it might even be as innocent as that .
Regards
Why do you say its netspy ? Is it just because that is listed as the most likely trojan on port 1024 or is there some 'evidence' on the box ? Actually, all of the stuff that uses 1024 by default seems to be windows based. However, lots of trojans can be configured to run on any port you like so its not that easy to know what it is just from the port.
Have you tried logging - you just add an identical rule before the 'drop' rule with target '-j LOG' .
The other thing to do is (as root) :
/usr/sbin/lsof -i TCP:1024
To see whats listening on that port ...
I have seen it said that KDM (KDE display manager) uses port 1024 so it might even be as innocent as that .
Regards
- Thread starter
- #5
the one odd thing on my system was the permissions for some basics commands like "ls" and "netstat" got changed so users could not run them. That was puzzleing to me. Thats why i was thinking something was up
[root@Bravo sbin]# lsof -i TCP:1024
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
rpc.statd 749 root 6u IPv4 942 TCP *:1024 (LISTEN)
[root@Bravo sbin]#
[root@Bravo sbin]# lsof -i TCP:1024
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
rpc.statd 749 root 6u IPv4 942 TCP *:1024 (LISTEN)
[root@Bravo sbin]#
I would advise that you compare all the executables against the originals you used to install from the distro CD... I am always VERY suspicious when I turn up at a machine and it has binaries (especially binaries like ls, etc...)
I have discovered compromised machines more often than not in these situations... never hurts to double-check and make sure.
Just my $0.02... AV
tnedor@yahoo.com
Did this post help? Click below to let me know.
I have discovered compromised machines more often than not in these situations... never hurts to double-check and make sure.
Just my $0.02... AV
tnedor@yahoo.com
Did this post help? Click below to let me know.
Hi,
From the lsof output it looks like nfslock is using port 1024. If you do :
# /etc/rc.d/init.d/nfslock stop
then
# /usr/sbin/lsof -i TCP:1024
You'll probably see it stop. I agree 100% with TheRat though - its common practice to substitute doctored versions of common binaries so maybe you should do a 'rpm -Va' (verify all rpms - takes forever so maybe redirect it to a file) . If in doubt reinstall rpms with the --replacepkgs option. Also maybe use tripwire which takes checksums to detect meddling with files.
Actually there have been rpc.statd exploits -->
Regards
From the lsof output it looks like nfslock is using port 1024. If you do :
# /etc/rc.d/init.d/nfslock stop
then
# /usr/sbin/lsof -i TCP:1024
You'll probably see it stop. I agree 100% with TheRat though - its common practice to substitute doctored versions of common binaries so maybe you should do a 'rpm -Va' (verify all rpms - takes forever so maybe redirect it to a file) . If in doubt reinstall rpms with the --replacepkgs option. Also maybe use tripwire which takes checksums to detect meddling with files.
Actually there have been rpc.statd exploits -->
Regards
Guest_imported
New member
- Jan 1, 1970
- 0
Are you running named?
named 325 root 4u IPv4 1078 UDP *:1024
named 325 root 20u IPv4 1074 UDP localhost:domain
named 325 root 21u IPv4 1075 TCP localhost:domain (LISTEN)
named 325 root 4u IPv4 1078 UDP *:1024
named 325 root 20u IPv4 1074 UDP localhost:domain
named 325 root 21u IPv4 1075 TCP localhost:domain (LISTEN)
- Thread starter
- #9
i ran rpm -Va and i get something like this
.......T /usr/src/linux-2.4.7-10/include/linux/netfilter_ipv4/ip_nat_helper.h
.......T /usr/src/linux-2.4.7-10/include/linux/netfilter_ipv4/ip_nat_protocol.h
.......T /usr/src/linux-2.4.7-10/include/linux/netfilter_ipv4/ip_nat_rule.h
how do i interpret this?
.......T /usr/src/linux-2.4.7-10/include/linux/netfilter_ipv4/ip_nat_helper.h
.......T /usr/src/linux-2.4.7-10/include/linux/netfilter_ipv4/ip_nat_protocol.h
.......T /usr/src/linux-2.4.7-10/include/linux/netfilter_ipv4/ip_nat_rule.h
how do i interpret this?
- Status
Similar threads