Find the answer to your Linux question:
Page 1 of 2 1 2 LastLast
Results 1 to 10 of 13
When I nmap my computer, it gives this strange port: "31337/tcp open Elite" What's this all about? I wasn't there last time I nmapped myself....
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Sep 2005
    Location
    Finland
    Posts
    9

    Strange port 31337 Elite


    When I nmap my computer, it gives this strange port:

    "31337/tcp open Elite"

    What's this all about? I wasn't there last time I nmapped myself.

  2. #2
    Linux Guru bigtomrodney's Avatar
    Join Date
    Nov 2004
    Location
    Ireland
    Posts
    6,133
    Looks a bit suspect, maybe you've been hacked. 31337 or 1337 is hack talk for leet, or elite. It refers to someone being a good hacker so first thing I would do is run rkhunter or some other rootkit. Seems like you've been done.

    This link may have what you need - rkhunter

  3. #3
    Linux Guru anomie's Avatar
    Join Date
    Mar 2005
    Location
    Texas
    Posts
    1,692
    Obvious cracker port. The person who installed the backdoor is not too bright - apparently he wants to get caught.

    • Take your pc off the network.
    • Back up your personal data.
    • Back up or take an image of your filesystems (if this is a server and you want to 1. investigate further; 2. potentially press charges).
    • Try to determine how the cracker was able to gain access.
    • Rebuild your system with the exploited service appropriately hardened.


    It sucks but it happens. At least this one left his calling card pasted to your door.

  4. $spacer_open
    $spacer_close
  5. #4
    Just Joined!
    Join Date
    Sep 2005
    Location
    Finland
    Posts
    9
    Ok, found the reason for this mess. One of my users had his password as his user name, so the cracker had guessed the password and installed some nasty programs. I removed the programs and deleted the user.

    I traced the evil person back into another server that he had infiltrated just like mine: guessed well. As nothing serious happened, I guess I'll just take my lesson and leave it here, the other admin may proceed with his investigation if he's interested to do that.

  6. #5
    Linux Guru bigtomrodney's Avatar
    Join Date
    Nov 2004
    Location
    Ireland
    Posts
    6,133
    Glad to hear you got sorted, though I'd still recommend running a rootkit hunter as you can never be too sure. Personally if I had a backup of /etc I'd be reinstalling the OS.

  7. #6
    Just Joined!
    Join Date
    Nov 2005
    Location
    /home/eclipse
    Posts
    18

    posible answer

    or maybe is a psyBNC server, the psyBNC defect port is 31337

    check that out

  8. #7
    Linux Guru fingal's Avatar
    Join Date
    Jul 2003
    Location
    Birmingham - UK
    Posts
    1,539
    You might also consider running John the Ripper to check the integrity of your other passwords.

    It sounds like a dodgy programme, but it's really very good.
    I am always doing that which I can not do, in order that I may learn how to do it. - Pablo Picasso

  9. #8
    Just Joined!
    Join Date
    Nov 2005
    Posts
    2

    elite port using " nmap -sX -P0"

    Hi,
    I am trying to determine if I have been hacked.

    when I run "nmap -sX -P0" from outside against my server I get a report that some ports including 31337 elite to be open. These ports have been blocked by iptables.

    I have downloaded and ran chkrootkit-0.46a which says that everything is OK.

    Does anyone know of a way to find out why "nmap -sX -P0" is reporting these ports to be open? and what program is responding to the nmap syn requests?
    Thanks in advance!

  10. #9
    Just Joined!
    Join Date
    Nov 2005
    Posts
    15
    a quick google for "31337 port" would of given you a LOT of results.

  11. #10
    Just Joined!
    Join Date
    Nov 2005
    Posts
    2

    It is nmap

    I have done my research on Elite port, but my problem was with the way that I was running nmap.

    nmap -sX assumes that the port is open if the syn is not acknowledged. It would work if you are not going through a few security zones and routers.
    The problem is that some firewalls/routers simply drop it before it gets to the server.

    For scanning remotely it is better to use -sS instead.

    That is what I have found from my research, but if anyone has a comment or exprienced things differently please let me know.

Page 1 of 2 1 2 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •