[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <1033325909.29488.29.camel@dimension>
From: nc at stormvault.net (Nicolas Couture)
Subject: Ever cought BitchX listening on a port ?
The version of BitchX used in the fallowing suprise is the lastest
debian package from mirrors.kernel.org installed with apt-get.
Suprise from BitchX fallows
--- cut ---
+ dimension:/home/remote# nmap -sS -vv -P0 -p 1-65535 127.0.0.1
+
+ Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
+ Host dimension (127.0.0.1) appears to be up ... good.
+ Initiating SYN Stealth Scan against dimension (127.0.0.1)
+ Adding open port 21/tcp
+ adjust_timeout: packet supposedly had rtt of 9246519 microseconds.
+ Ignoring time.
+ adjust_timeout: packet supposedly had rtt of 21246336 microseconds.
+ Ignoring time.
+ Adding open port 54655/tcp
...
+ dimension:/home/remote# netstat -tap | grep 54655
+ tcp 0 0 *:54655 *:*
+ LISTEN 28549/BitchX
+
+ dimension:/home/remote# killall BitchX
+
+ dimension:/home/remote# netstat -tap | grep 54655
+
+ dimension:/home/remote# nmap -sS -vv -P0 -p 1-65535 127.0.0.1
+
+ Starting nmap V. 2.54BETA31 ( www.insecure.org/nmap/ )
+ Host dimension (127.0.0.1) appears to be up ... good.
+ Initiating SYN Stealth Scan against dimension (127.0.0.1)
+ Adding open port 32768/tcp
+ adjust_timeout: packet supposedly had rtt of 9199896 microseconds.
+ Ignoring time.
+ Adding open port 22/tcp
+ adjust_timeout: packet supposedly had rtt of 21199929 microseconds.
+ Ignoring time.
+ adjust_timeout: packet supposedly had rtt of 10193384 microseconds.
+ Ignoring time.
+ adjust_timeout: packet supposedly had rtt of 22193084 microseconds.
+ Ignoring time.
+ Adding open port 6000/tcp
+ adjust_timeout: packet supposedly had rtt of 45199938 microseconds.
+ Ignoring time.
+ Adding open port 21/tcp
+ adjust_timeout: packet supposedly had rtt of 8996397 microseconds.
+ Ignoring time.
+ The SYN Stealth Scan took 88 seconds to scan 65535 ports.
+ Interesting ports on dimension (127.0.0.1):
+ (The 65531 ports scanned but not shown below are in state: closed)
+ Port State Service
+ 21/tcp open ftp
+ 22/tcp open ssh
+ 6000/tcp open X11
+ 32768/tcp open unknown
+
+
+Nmap run completed -- 1 IP address (1 host up) scanned in 88 seconds
+++ And netstat agreed +++
--- cut ---
Additional info:
After this incident I tried to reproduce the same thing many times
without success.
There was in no case any DCC used on this bitchx session (which should
bring the client to listen on a port) which was the only one running on
that box.
Unfortunately I do not have the required skills to go anymore further in
that case.
A question I have:
What would have being usefull to run to gain more information about
this? I.E. if it was a bitchx exploit I could have caught it in action
using x IDS or something similar.
Thanks,
Nicolas Couture
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: This is a digitally signed message part
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20020929/3e2b7520/attachment.bin
Powered by blists - more mailing lists