[CLUE-Admin] unusual server activity

[rjohnston at techangle.com]

Open ports: 

Port       State       Service
21/tcp     open        ftp
22/tcp     open        ssh
25/tcp     open        smtp
80/tcp     open        http
111/tcp    open        sunrpc
113/tcp    open        auth
514/tcp    open        shell
999/tcp    open        garcon
1024/tcp   open        kdm
2401/tcp   open        cvspserver
3306/tcp   open        mysql


-----Original Message-----
From: clue-admin-admin at clue.denver.co.us
[mailto:clue-admin-admin at clue.denver.co.us]On Behalf Of Lynn Danielson
Sent: Friday, December 05, 2003 1:44 PM
To: clue-admin at clue.denver.co.us
Subject: Re: [CLUE-Admin] unusual server activity


Jed S. Baer wrote:

> IIRC, WU-ftp will run standalone, although I don't remember the gory 
> details.
>
>I know it's probably too late, but is there any way to answer the question
>of how an ftp daemon got started? If not by inetd, then ...? Do we have
>any forensics available (tripwire)?
>

No tripwire.  No snort.  I for one would like to know how the ftp
daemon got started.  The only mechanism I was aware of was the
inet daemon and that seems to be what is/was allowing the access.
Even though the only ftp service not commented out in /etc/services
is sftp and all ftp daemon info is commented out in /etc/inetd.conf,
inetd will start up the wu-ftp daemon as long as that daemon exists
and is executable.

So, why doesn't it open up telnet and every other service for which
we have an existing daemon program?  Can someone portscan our
box and see what responds?  To the best of my knowledge, the only
ports that should be open are 22 (ssh), 25 (smtp) and 80 (http).

Lynn



_______________________________________________
CLUE-Admin mailing list
Post messages to: CLUE-Admin at clue.denver.co.us
Unsubscribe or manage your options: http://clue.denver.co.us/mailman/listinfo/clue-admin