Angeblich offene ports bei Debain Woody

Bernhard Sadlowski sadlowsk at Mathematik.Uni-Bielefeld.DE
Mon Mar 4 19:56:07 CET 2002 

Hi Achim,

On 04 Mar 2002 19:21, Achim Dreyer <adreyer at math.uni-paderborn.de> wrote:
> > 67/udp (bootps) ist laut netstat oder lsof nicht offen.
> .. schon in (x)inetd.conf geschaut ? Evtl. nur offen wenn anfrage an port
> da..

Standard Debian Woody:

# grep -v "^#" /etc/inetd.conf  | sort | uniq

daytime         stream  tcp     nowait  root    internal
discard         dgram   udp     wait    root    internal
discard         stream  tcp     nowait  root    internal
smtp            stream  tcp     nowait  mail    /usr/sbin/exim exim -bs
time            stream  tcp     nowait  root    internal

# ps ax | egrep 'boot|ftp|dhcp'
16006 pts/0    S      0:00 egrep boot|ftp|dhcp

> > Ebenfalls sehe ich durch den scan die gleichen angeblich offenen ports auf
> > Suse Linux 7.1 mit Kernel 2.2.19. Also scheint das vor allem Kernels 2.2.x
> > zu betreffen. Bei Kernel 2.4.17 wird aber auch noch Port 67/udp gemeldet!
> 
> .. kernel mit bootp-Unterstützung gebaut ?

Standard Debian Woody Kernel... gibt es da eine Kernelunterstützung? Ich
dachte da muss ein bootpd oder so laufen, genauso auch für tftp.
 
> > 2) Sicherheitsfeature der Linux Kernels die auf diesen Ports Trojaner
> > vortäuschen?
> 
> ;-))
> 
> > 3) Bug in den Linux Kernels?
> 
> => Features !!

Mag sein. Ich habe die URL dazu oder die Mail von linux-kernel nicht nicht
gefunden! :-)
 
> > Port       State       Service
> > 53/udp     open        domain
> 
> .. warum hast du den offen ? Ist die Maschine denn DNS-Server ? Du hast
> was von Arbeitsstation geschrieben..

Na das ist meine Firewall zuhause die auch bind laufen hat. Wenn der Port zu
ist, dann gehen keine DNS auflösungen über den named. Offenbar braucht named
den offenenport um Antworten zu bekommen auf externe anfragen??!!

> > 67/udp     open        bootps
> > 10498/udp  open        unknown
> > 18753/udp  open        unknown
> > 27444/udp  open        Trinoo_Bcast
> > 34555/udp  open        unknown
> 
> .. was sind denn das für hohe ports ?

Ja gute Frage. Deswegen die Mail. In irgendwelchen FAQs steht es seinen
ports, die von Linux/Solaris rootkits/Würmern benutzt werden. Nessus sagt
dazu:

---------- 8< -------------------------------------------------------------
 . Vulnerability found on port unknown (34555/udp) :



    The remote host appears to be running
    Trin00 for windows, which is a trojan that can be
    used to control your system or make it
    attack another network (this is
    actually called a distributed denial
    of service attack tool)

    It is very likely that this host
    has been compromised

    Solution : Restore your system from backups,
           contact CERT and your local
           authorities

    Risk factor : Critical
    CVE : CAN-2000-0138

 . Vulnerability found on port unknown (27444/udp) :



    The remote host appears to be running
    Trin00, which is a trojan that can be
    used to control your system or make it
    attack another network (this is
    actually called a distributed denial
    of service attack tool)

    It is very likely that this host
    has been compromised

    Solution : Restore your system from backups,
           contact CERT and your local
           authorities

    Risk factor : Critical
    CVE : CAN-2000-0138

 . Vulnerability found on port unknown (18753/udp) :



    The remote host appears to be running
    Shaft, which is a trojan that can be
    used to control your system or make it
    attack another network (this is
    actually called a distributed denial
    of service attack tool)

    It is very likely that this host
    has been compromised

    Solution : Restore your system from backups,
           contact CERT and your local
           authorities

    Risk factor : Critical
    CVE : CAN-2000-0138

 . Vulnerability found on port unknown (10498/tcp) :



    The remote host appears to be running
    a mstream agent, which is a trojan that can be
    used to control your system or make it
    attack another network (this is
    actually called a distributed denial
    of service attack tool)

    It is very likely that this host
    has been compromised

    Solution : Restore your system from backups,
           contact CERT and your local
           authorities

    Risk factor : Critical
    CVE : CAN-2000-0138


 . Information found on port bootps (67/udp)


    Here is the information we could gather from the remote DHCP
    server. This allows an attacker on your local network to gain
    information about it easily :

    Master DHCP server of this network : 10.59.52.232
    IP address the DHCP server would attribute us : 15.75.206.84
    time server(s) =


    Solution : remove the options that are not in use in your DHCP server
    Risk factor : Low

---------- 8< -------------------------------------------------------------

Das Problem ist: Es ist ja nicht nur mein Router zuhause... offenbar zeigen
alle Linuxe (Debian, Suse, Redhat) die ich so sehe das gleiche Verhalten.

Bernhard

More information about the Linux mailing list