Home Forums Articles Downloads Hosting Freebies Jobs
Welcome to Linux Forums! With a comprehensive Linux Forum, information on various types of Linux software and many Linux Reviews articles, we have all the knowledge you need a click away, or accessible via our knowledgeable members.
Find the answer to your Linux question:
New to Linux Forums? Register here for free!
    Linux Forums > GNU Linux Zone > Linux Security > Port 2128 backdoor?

Forgot Password?
 Linux Security   Discussion about keeping your machines secure, and the crackers out.

Site Navigation
Linux Articles
Linux Forums
Linux Downloads
Linux Hosting
Free Magazines
Job Board
IRC Chat
RSS Feeds


Linux Forum Topics
Linux Forums
Your Distro
Linux Resources
GNU Linux Zone
The Community
Reply
 
Thread Tools Display Modes
Old 08-21-2009   #1 (permalink)
Just Joined!
 
Join Date: Jun 2009
Posts: 3
Unhappy Port 2128 backdoor?
One of the routine checkers (rkhunter) in our systems reported a warning for a backdoor on
port tcp 2128, which in subsequent checks disappeared.
The system now looks fine.

Now, I couldn't find anything detailed around the net, except that in past versions of
rkhunter, that port corresponded to some 'MRK' malware.

Does anybody have any pointer?
Which is the most appropriate strategy to adopt in these cases? Total disconnection &
reinstall in case I don't find any better informations?
IPTables/checkers/antivirus all report the system as fine.

Thanks!
Saverio
saverio_miroddi is offline  


Reply With Quote
Old 08-21-2009   #2 (permalink)
Just Joined!
 
Join Date: Aug 2009
Posts: 13
Quote:
Originally Posted by saverio_miroddi View Post
One of the routine checkers (rkhunter) in our systems reported a warning for a backdoor on port tcp 2128, which in subsequent checks disappeared.
Then it could have been a transient connection or in older versions of RKH the port check match being too greedy picking up ports on the remote side as well.


Quote:
Originally Posted by saverio_miroddi View Post
The system now looks fine.
"Looks fine" as in you "feel" you shouldn't "worry" or "looks fine" as in you have verified ports in listening state?


Quote:
Originally Posted by saverio_miroddi View Post
Which is the most appropriate strategy to adopt in these cases? Total disconnection & reinstall in case I don't find any better informations? IPTables/checkers/antivirus all report the system as fine.
The appropriate strategy is to use other tools to determine if the warning can be corroborated or not. This will be a combination of file verification possibilities package management offers, using another tool in the same class like Chkrootkit or OSSEC HIDS or (unhide-tcp, netstat lsof, fuser), running a check with a filesystem integrity checker (if deployed before the warning) like Samhain, Aide or even tripwire and reading back logs and auth data for anomalies.

Yes, this could easily have been a false positive and therefore a lot of people will say "don't worry" but that simply is not the right approach.
unspawn is offline   Reply With Quote
Old 08-30-2009   #3 (permalink)
Just Joined!
 
Join Date: Jun 2009
Posts: 3
by "look fine" I meant that I checked the listening ports and there was nothing suspicious.
of course I verified that no files had been tampered (we have different integrity checkers running).

unhide gave several ports in the result - changing every time.

for now, we think the cause has been snort - it was running, so it's like to have been conflicting.
saverio_miroddi is offline   Reply With Quote
Old 09-01-2009   #4 (permalink)
Just Joined!
 
Join Date: Aug 2009
Posts: 13
Quote:
Originally Posted by saverio_miroddi View Post
by "look fine" I meant that I checked the listening ports and there was nothing suspicious.
of course I verified that no files had been tampered (we have different integrity checkers running).
Good work.


Quote:
Originally Posted by saverio_miroddi View Post
unhide gave several ports in the result - changing every time.

for now, we think the cause has been snort - it was running, so it's like to have been conflicting.
It shouldn't. Yes, Snort listens for traffic, but not bound to any ports. Your 'unhide' results, transient TCP ports > 1024 being used, should point to client-server traffic (also see the ip_local_port_range sysctl) and temporarily running tcpdump or inserting iptables "-j LOG" rules should show.
unspawn is offline   Reply With Quote
Reply

« Previous Thread | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off

Free Magazines
Run Your Own Web Server Using Linux & Apache - Free 191 Page Preview
Learn about everything you'll need to build and maintain your Linux servers, and to deploy Web applications to them.
subscribe
Open Source Security Myths Dispelled
Dispel the five major myths surrounding Open Source Security and gain the tools necessary to make a truly informed decision for your IT organization
subscribe
InformationWeek
InformationWeek is the only newsweekly you'll need to stay on top of the latest developments in information technology.
subscribe



All times are GMT. The time now is 01:34 PM.





Advertise About Us Contact Us Write For Us Archive Top
© 2000 - 2009 - All Rights Reserved - Property of  MAS Media

Content Relevant URLs by vBSEO 3.3.0 RC2