[Intrusions] brightstor/arcserve backup client hacked
Smith, Donald
Donald.Smith at qwest.com
Thu Mar 3 01:30:23 GMT 2005
Port 41523 could be a legit source port and therefore a possible destination port in a response packet.
If you block a port most OSes will retry access a few times usually using a differnent highnumber port.
It shouldn't hurt anything to leave that blocked unless you are doing arcserver over the internet:)
donald.smith at qwest.com giac
-----Original Message-----
From: intrusions-bounces at lists.sans.org on behalf of Andrew Daviel
Sent: Tue 3/1/2005 12:05 PM
To: intrusions at incidents.org
Subject: RE: [Intrusions] brightstor/arcserve backup client hacked
As 3 people have asked me for capture files,
I have placed a tcpdump capture file with 2 targets
on http://andrew.triumf.ca/arckit/
together with some rootkit files
The capture is only 300 bytes/packet as I recall
We had I think 23 targets so there's more data available if required.
If the rootkit server's still up it's possible to login using the
info from the capture. I did email the webmaster (virtual university in
Czeck republic).
Later investigation found an ftp server running on port 187 (one of the
cloaked ports) and the attacker later logged in on this and ran some
bandwidth tests. I presume that the intent was to store pirated media.
Our PC guys are running around with a program called "RootKitRevealer"
patching the infected systems from a rescue disk. Meanwhile we blocked
port 187 and also the original ARCserve port 41523 pending an update of
the backup client.
Just trying to think if 41523 might be used as a legitimate inbound port
for http requests, ftp, NFS etc. Maybe. Linux kernel seems to use
local ports between 1024 & 4999 but a comment says
"For high-usage systems, use sysctl to change this to 32768-61000".
Which I presume is legal, so maybe we don't want to statically block
41523 at the router indefinitely ... My tcp's rusty - if
a packet fails on one port will it be retried on another port or the same
one ?
--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376 (Pacific Time)
security at triumf.ca
_______________________________________________
Intrusions mailing list
Intrusions at lists.sans.org
http://www.dshield.org/mailman/listinfo/intrusions
More information about the Intrusions
mailing list