Article 8468 at 07/01/04 01:38:55 From: rodrigo (at mark) xnet.com.mx Subject: [coba-e:08468] Re: System hacked?!?!?

Index: [Article Count Order] [Thread]
Date:  Wed, 3 Jan 2007 09:31:56 -0700
From:  "Rodrigo Ordonez Licona" <rodrigo (at mark) xnet.com.mx>
Subject:  [coba-e:08468] Re: System hacked?!?!?
To:  <coba-e (at mark) bluequartz.org>
Message-Id:  <200701031627.l03GRCsI029931 (at mark) admin.xnet.com.mx>
In-Reply-To:  <1486c6440612291900p3c2368c6xbd0de5eb1561f8c9 (at mark) mail.gmail.com>
X-Mail-Count: 08468

We use that port (submnission port) and receive false positives. 

We found a few documents that read that this is an expected behavior, I
think spamd sometimes conects to unused ports and crates false positives

Google muight help you

Regards

Rodrigo O
Xnet

-----Original Message-----
From: Adam Crews [mailto:adam.crews (at mark) gmail.com] 
Sent: Viernes, 29 de Diciembre de 2006 08:01 p.m.
To: coba-e (at mark) bluequartz.org
Subject: [coba-e:08420] Re: System hacked?!?!?

If you suspect you have been hacked, do not trust anything on the system to
give you accurate readings.  You should get netstat from a rpm, or other
trusted system and use that binary.  There are some rootkits that will
install updated versions of lsof, netstat, ps, ls, and other useful tools
that will hide the root kit's existence.

-Adam


On 12/29/06, Will Nordmeyer <will (at mark) willspc.net> wrote:
> Sorry about the HTML - right after I sent, I realized I was in HTML...
>
> Services on:
> Domain Name Service (DNS) Server
> Email Servers
> File Transfer Protocol (FTP) Server
> MySQL Server
> Server Desktop
> Simple Network Management Protocol (SNMP) Server Web Server
>
> Netstat -an is attached.
>
> The GUI shows Sendmail using 465 & Portsentry using 1524 & 31337.
>
> Can I just chalk it up to false positives from chkrootkit?
>
> --Will
>
> ________________________________________
> From: Arthur Sherman [mailto:arturs (at mark) netvision.net.il]
> Sent: Friday, December 29, 2006 2:09 PM
> To: coba-e (at mark) bluequartz.org
> Subject: [coba-e:08399] Re: System hacked?!?!?
>
> please post in plain text - much easier to track the thread later.
>
> port 456 could be open due to SMTPS, others could be different.
>
> could you post here what services are on/off in GUI, and also output 
> of 'netstat -an' ?
>
>
> Best,
>
> --
> Arthur Sherman
>
> +972-52-4878851
> CPTeam
>
>
> ________________________________________
> From: Will Nordmeyer [mailto:will (at mark) willspc.net]
> Sent: Friday, December 29, 2006 12:59 PM
> To: coba-e (at mark) bluequartz.org
> Subject: [coba-e:08385] System hacked?!?!?
> This morning's chkrootkit output is declaring that bindshell is 
> infected. ports 465, 1524 & 31337. When I do a netstat -tanup and grep 
> for those ports, I see sendmail using 465 and portsentry using 1524 &
31337.
>
> Am I getting a false positive? What else can I check?
>
> I'm installing rootkithunter as we speak.
>
> --Will
>
>
>


--
-----------------------------------------------------------------
Shroom.net Donation Based Web Hosting
http://www.shroom.net/
-----------------------------------------------------------------