Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: Re: Odd identd behavior

Re: Odd identd behavior

From: <Steve.Cummings_at_barclayscapital.com>
Date: Mon, 14 Nov 2005 18:30:51 -0000

My bet is that it is some sort of warez /irc server for illegal downloads

Would take an image of it and start poking around on the image to investigate, is it possible to take the server down?

 

-----Original Message-----
From: k levinson <levinson_k_at_yahoo.com>
To: incidents_at_securityfocus.com <incidents_at_securityfocus.com>
CC: kyphros_at_gmail.com <kyphros_at_gmail.com>
Sent: Mon Nov 14 17:06:29 2005
Subject: Re: Odd identd behavior

220 and 530 messages can be SMTP, or they can be FTP
or something else. The 220 plus the "crew" banner
would make me want to run a sniffer and/or point an
FTP client at that port to determine whether that's an
FTP banner, associated with FTP tagging / pubstro
activity. The presence of lots of illegal warez files
such as DVD, games, etc. or much lower free disk space
than normal might also be a clue.

Because of the running process on the system on a
non-standard port, it seems fairly certain that a root
level compromise has occurred. However, often you
will find FTP pubstro compromises where the
"attackers" have no knowledge or interest in what your
server is or the data on it. A typical pubstro attack
will be a broad scan and compromise of lots of systems
with financial gain as the motive, with little time
and interest in reconnaisance or discovery of data.
The ident port has been used in some past documented
pubstros, possibly because the firewall was configured
to allow use of that port in and out.

http://listserv.educause.edu/cgi-bin/wa.exe?A2=ind0411&L=security&T=0&F=&S=&P=2356

- karl levinson

                
__________________________________
Yahoo! FareChase: Search multiple travel sites in one click.
http://farechase.yahoo.com

------------------------------------------------------------------------
For more information about Barclays Capital, please
visit our web site at http://www.barcap.com.

Internet communications are not secure and therefore the Barclays
Group does not accept legal responsibility for the contents of this
message. Although the Barclays Group operates anti-virus programmes,
it does not accept responsibility for any damage whatsoever that is
caused by viruses being passed. Any views or opinions presented are
solely those of the author and do not necessarily represent those of the
Barclays Group. Replies to this email may be monitored by the Barclays
Group for operational or business reasons.

------------------------------------------------------------------------
Received on Nov 14 2005

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]