Stephen W. Thompson
thompson at pobox.upenn.edu
Tue Jun 3 19:31:44 GMT 2003
Steve Bernard wrote:
> I've got a compromised box that is running a service on TCP port 33.
> I can't find anything on from Google, SANS, etc. regarding this port,
> except that it's "supposed to be" the Display Support Protocol. Using
> telnet to connect to the port provides the following:
> # telnet a.b.c.d 33
> Trying a.b.c.d...
> Connected to a.b.c.d.
> Escape character is '^]'.
> [Pressed <Enter>]
> 220 v:0.2
> 500 Not Loged in
> telnet> close
> Connection closed.
> Has anyone else seen this?
More and more I find it makes more sense to find out what *is* running
rather than what *might be* running. On WinXP/2K, this means running a
tool such as fport.exe (from foundstone.com, freely-usable though
copyrighted), or "netstat -an -o" (I believe) on WinXP, or lsof on
Unix-like systems. All such tools will show, for each open port, what
file/executable has the port open.
Steve, security analyst
Stephen W. Thompson, UPenn, ISC Information Security, 215-898-1236
The only safe choice: Write e-mail as if it's public. Cuz it could be.
More information about the unisog