[CLUE-Admin] unusual server activity
rjohnston at techangle.com
rjohnston at techangle.com
Fri Dec 5 14:05:22 MST 2003
Open ports:
Port State Service
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
80/tcp open http
111/tcp open sunrpc
113/tcp open auth
514/tcp open shell
999/tcp open garcon
1024/tcp open kdm
2401/tcp open cvspserver
3306/tcp open mysql
-----Original Message-----
From: clue-admin-admin at clue.denver.co.us
[mailto:clue-admin-admin at clue.denver.co.us]On Behalf Of Lynn Danielson
Sent: Friday, December 05, 2003 1:44 PM
To: clue-admin at clue.denver.co.us
Subject: Re: [CLUE-Admin] unusual server activity
Jed S. Baer wrote:
> IIRC, WU-ftp will run standalone, although I don't remember the gory
> details.
>
>I know it's probably too late, but is there any way to answer the question
>of how an ftp daemon got started? If not by inetd, then ...? Do we have
>any forensics available (tripwire)?
>
No tripwire. No snort. I for one would like to know how the ftp
daemon got started. The only mechanism I was aware of was the
inet daemon and that seems to be what is/was allowing the access.
Even though the only ftp service not commented out in /etc/services
is sftp and all ftp daemon info is commented out in /etc/inetd.conf,
inetd will start up the wu-ftp daemon as long as that daemon exists
and is executable.
So, why doesn't it open up telnet and every other service for which
we have an existing daemon program? Can someone portscan our
box and see what responds? To the best of my knowledge, the only
ports that should be open are 22 (ssh), 25 (smtp) and 80 (http).
Lynn
_______________________________________________
CLUE-Admin mailing list
Post messages to: CLUE-Admin at clue.denver.co.us
Unsubscribe or manage your options: http://clue.denver.co.us/mailman/listinfo/clue-admin
More information about the clue-admin
mailing list