[Snort-users] Port open question

Lance Spitzner lance at ...185...
Wed Apr 4 14:13:01 EDT 2001


On Wed, 4 Apr 2001, Joe Matusiewicz wrote:

> >EXPLOIT nlps x86 solaris overflow
> >
> >I tried using `netstat -a` to see if port 2766 was listed there, but no
> >luck.  This port is only open on one of the sparcs that I control and can't
> >figure out why.
> >
> >I can telnet to the port (e.g. telnet server 2766) and it opens a connection
> >then just sits there.  Any ideas on what it could be?
>
> This doesn't sound good.  Something running on a port and you don't know
> what it is.  Perhaps the version of netstat you're using has been replaced
> by the Bad Guys (TM) if you were r00ted.  If you ran tripwire, you could
> check to see if it was your original netstat binary.  I would bring in
> another version of netstat via floppy from another machine to see what it
> might say is running on that port.  Personally I prefer to use lsof for this.

Heh Heh, can't pass this one up.  If this is running Solaris (and your
exploit indicates it is) then you already have Tripwire ran for you.
Sun has a MD5 checksum of every binary distributed for the operating system.
All you need to do is a trusted MD5 checksum of your binaries in question
and then compare it to the online database.

   http://sunsolve.Sun.COM/pub-cgi/show.pl?target=content/content7

lance





More information about the Snort-users mailing list