lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <1033325909.29488.29.camel@dimension>
From: nc at stormvault.net (Nicolas Couture)
Subject: Ever cought BitchX listening on a port ?

The version of BitchX used in the fallowing suprise is the lastest
debian package from mirrors.kernel.org installed with apt-get.

Suprise from BitchX fallows
				--- cut ---
+ dimension:/home/remote# nmap -sS -vv -P0 -p 1-65535 127.0.0.1
+
+ Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
+ Host dimension (127.0.0.1) appears to be up ... good.
+ Initiating SYN Stealth Scan against dimension (127.0.0.1)
+ Adding open port 21/tcp
+ adjust_timeout: packet supposedly had rtt of 9246519 microseconds. 
+ Ignoring time.
+ adjust_timeout: packet supposedly had rtt of 21246336 microseconds. 
+ Ignoring time.
+ Adding open port 54655/tcp 
...

+ dimension:/home/remote# netstat -tap | grep 54655
+ tcp        0      0 *:54655                 *:*                    
+ LISTEN      28549/BitchX
+
+ dimension:/home/remote# killall BitchX
+
+ dimension:/home/remote# netstat -tap | grep 54655
+
+ dimension:/home/remote# nmap -sS -vv -P0 -p 1-65535 127.0.0.1
+
+ Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
+ Host dimension (127.0.0.1) appears to be up ... good.
+ Initiating SYN Stealth Scan against dimension (127.0.0.1)
+ Adding open port 32768/tcp
+ adjust_timeout: packet supposedly had rtt of 9199896 microseconds. 
+ Ignoring time.
+ Adding open port 22/tcp
+ adjust_timeout: packet supposedly had rtt of 21199929 microseconds. 
+ Ignoring time.
+ adjust_timeout: packet supposedly had rtt of 10193384 microseconds. 
+ Ignoring time.
+ adjust_timeout: packet supposedly had rtt of 22193084 microseconds. 
+ Ignoring time.
+ Adding open port 6000/tcp
+ adjust_timeout: packet supposedly had rtt of 45199938 microseconds. 
+ Ignoring time.
+ Adding open port 21/tcp
+ adjust_timeout: packet supposedly had rtt of 8996397 microseconds. 
+ Ignoring time.
+ The SYN Stealth Scan took 88 seconds to scan 65535 ports.
+ Interesting ports on dimension (127.0.0.1):
+ (The 65531 ports scanned but not shown below are in state: closed)
+ Port       State       Service
+ 21/tcp     open        ftp
+ 22/tcp     open        ssh
+ 6000/tcp   open        X11
+ 32768/tcp  open        unknown
+
+
+Nmap run completed -- 1 IP address (1 host up) scanned in 88 seconds

+++ And netstat agreed +++
				--- cut ---

Additional info:

After this incident I tried to reproduce the same thing many times
without success.

There was in no case any DCC used on this bitchx session (which should
bring the client to listen on a port) which was the only one running on
that box.

Unfortunately I do not have the required skills to go anymore further in
that case.


A question I have:

What would have being usefull to run to gain more information about
this? I.E. if it was a bitchx exploit I could have caught it in action
using x IDS or something similar.

Thanks,
	Nicolas Couture

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20020929/3e2b7520/attachment.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ