Strange port 31337 Elite

[jugio]

When I nmap my computer, it gives this strange port:

"31337/tcp open Elite"

What's this all about? I wasn't there last time I nmapped myself.

[bigtomrodney]

Looks a bit suspect, maybe you've been hacked. 31337 or 1337 is hack talk for leet, or elite. It refers to someone being a good hacker so first thing I would do is run rkhunter or some other rootkit. Seems like you've been done.

This link may have what you need - rkhunter

[anomie]

Obvious cracker port. The person who installed the backdoor is not too bright - apparently he wants to get caught.

• Take your pc off the network.
• Back up your personal data.
• Back up or take an image of your filesystems (if this is a server and you want to 1. investigate further; 2. potentially press charges).
• Try to determine how the cracker was able to gain access.
• Rebuild your system with the exploited service appropriately hardened.

It sucks but it happens. At least this one left his calling card pasted to your door.

[jugio]

Ok, found the reason for this mess. One of my users had his password as his user name, so the cracker had guessed the password and installed some nasty programs. I removed the programs and deleted the user.

I traced the evil person back into another server that he had infiltrated just like mine: guessed well. As nothing serious happened, I guess I'll just take my lesson and leave it here, the other admin may proceed with his investigation if he's interested to do that.

[bigtomrodney]

Glad to hear you got sorted, though I'd still recommend running a rootkit hunter as you can never be too sure. Personally if I had a backup of /etc I'd be reinstalling the OS.

[zOrK]

or maybe is a psyBNC server, the psyBNC defect port is 31337

check that out

[fingal]

You might also consider running John the Ripper to check the integrity of your other passwords.

It sounds like a dodgy programme, but it's really very good.

[nolite]

Hi,
I am trying to determine if I have been hacked.

when I run "nmap -sX -P0" from outside against my server I get a report that some ports including 31337 elite to be open. These ports have been blocked by iptables.

I have downloaded and ran chkrootkit-0.46a which says that everything is OK.

Does anyone know of a way to find out why "nmap -sX -P0" is reporting these ports to be open? and what program is responding to the nmap syn requests?
Thanks in advance!

[EvilC0P]

a quick google for "31337 port" would of given you a LOT of results.

[nolite]

I have done my research on Elite port, but my problem was with the way that I was running nmap.

nmap -sX assumes that the port is open if the syn is not acknowledged. It would work if you are not going through a few security zones and routers.
The problem is that some firewalls/routers simply drop it before it gets to the server.

For scanning remotely it is better to use -sS instead.

That is what I have found from my research, but if anyone has a comment or exprienced things differently please let me know.