port 22222 vulnerability

Hello there,

I just ran a port scan on my machine, and found that my port 22222 is open
to attack by a trojan horse. I tried to reject this in iptables but it
hasnt done anything. Is this a problem? Does anybody know how to get around
this?

Thanks
Allan



--
Allan Bruce
Dept. of Computing Science
University of Aberdeen
Aberdeen AB24 3UE
Scotland, UK

Allan Bruce <(E-Mail Removed)> wrote:
> I just ran a port scan on my machine, and found that my port 22222 is open
> to attack by a trojan horse. I tried to reject this in iptables but it
> hasnt done anything. Is this a problem? Does anybody know how to get around
> this?

Yes. Don't run a trojan horse. You are saying "I have discovered that
my upper lip is vulnerable to attack by me shooting myself in the mouth".
Don't do that then. And quit worrying about firewalls. Firewalls don't
protect you from anything particular on linux.

Now what did you REALLY learn? Was something running and listening on
your port 22222? If so, what? Go find out and decide if you want it or
not. Did you start it? if not, then somebody has cracked your system
and you want to investigate!!!

(and next time please don't mouth off with such awful RUBBISH)

Peter

Allan Bruce wrote:

> Hello there,
>
> I just ran a port scan on my machine, and found that my port 22222 is open
> to attack by a trojan horse.

Which trojan horse? How did you get this idea?

> I tried to reject this in iptables but it
> hasnt done anything.

Define "reject", and post the iptables entry, not your own words. Define
"it". Define "hasn't done anything." Use the information from your
computer, not your native language.

> Is this a problem?

Is what a problem? The problem, or the solution?

> Does anybody know how to get
> around this?

Get around what? Try writing simple declarative sentences, whose ideas flow
logically from one sentence to the next.

--
Paul Lutus
http://www.arachnoid.com

On Thu, 09 Oct 2003 21:16:23 +0100, Allan Bruce wrote:

> Hello there,
>
> I just ran a port scan on my machine, and found that my port 22222 is open
> to attack by a trojan horse.
OK, you are open; what about your computer?
snip
> Is this a problem?
It depends
> Does anybody know how to get around this?
Yes

"Allan Bruce" <(E-Mail Removed)> wrote in message
news:bm4fl6$lrn$(E-Mail Removed)...
> Hello there,
>
> I just ran a port scan on my machine, and found that my port 22222 is open
> to attack by a trojan horse.

Does this mean that you have a trojan horse installed ?
hmm.


>I tried to reject this in iptables but it
> hasnt done anything.

>Is this a problem?

Probably not.
the port scan didnt tell you much because it was run inside the firewall.
to test your firewall you have to run the portscan aimed at your machine,
but outside the firewall - eg on a friends system.

> Does anybody know how to get around
> this?

Run the port scanner on another machine aimed at your machine.

Your change to iptables might have worked to secure your box from outside
attack, but your test for the effect did not work.

Actually you should block all ports and only open up those that you want to
have open. eg port 80 to allow a web server to work.


Anyone who called Allan Bruce stupid is a right arsehole. The only way to
learn this fact about firewalling is to be told.

"Leon The Peon" <(E-Mail Removed)> wrote in message
news:bm58nh$aio$(E-Mail Removed)...
>
> "Allan Bruce" <(E-Mail Removed)> wrote in message
> news:bm4fl6$lrn$(E-Mail Removed)...
> > Hello there,
> >
> > I just ran a port scan on my machine, and found that my port 22222 is
open
> > to attack by a trojan horse.
>
> Does this mean that you have a trojan horse installed ?
> hmm.
>
>
> >I tried to reject this in iptables but it
> > hasnt done anything.
>
> >Is this a problem?
>
> Probably not.
> the port scan didnt tell you much because it was run inside the firewall.
> to test your firewall you have to run the portscan aimed at your machine,
> but outside the firewall - eg on a friends system.

I ran the test at http://security.symantec.com
Which alerted me to the problem.

>
> > Does anybody know how to get around
> > this?
>
> Run the port scanner on another machine aimed at your machine.
>
> Your change to iptables might have worked to secure your box from outside
> attack, but your test for the effect did not work.
>
> Actually you should block all ports and only open up those that you want
to
> have open. eg port 80 to allow a web server to work.

I now have every single port blocked apart from my port 80 for apache, and a
aselect few others which dont seem to be "common" ports for attack (i.e. I
have selected them as >10000)


>
>
> Anyone who called Allan Bruce stupid is a right arsehole. The only way
to
> learn this fact about firewalling is to be told.
>

Thanks, I felt some of the replies were a little short!

Allan Bruce wrote:
> Hello there,
>
> I just ran a port scan on my machine, and found that my port 22222 is open
> to attack by a trojan horse. I tried to reject this in iptables but it
> hasnt done anything. Is this a problem? Does anybody know how to get around
> this?
>
> Thanks
> Allan
>
>
>
Sounds like somebody is running a undesireable program on your system.
Run the following command:
netstat -a --program
This will provide a list of open sockets on your system, examine the
output to find the program which is listening on the offending port and
deal with it as you see fit.

HTH
Neil

--
/************************************************** *
*Neil Horman
*Software Engineer
*Red Hat, Inc., www.redhat.com
*gpg keyid: 1024D / 0x92A74FA1
*http://www.keyserver.net
************************************************** */

In article <bm5s6k$7jl$(E-Mail Removed)> (E-Mail Removed)
(Allan Bruce) writes:

>"Leon The Peon" <(E-Mail Removed)> wrote in message
>news:bm58nh$aio$(E-Mail Removed)...
>
>> Anyone who called Allan Bruce stupid is a right arsehole. The only
>> way to learn this fact about firewalling is to be told.
>
>Thanks, I felt some of the replies were a little short!

Don't worry about it; you were just unlucky enough to trigger
responses from the group's two top flamers. They know their
stuff, but they can sometimes be a little, uh, undiplomatic.

--
/~\ (E-Mail Removed)lid (Charlie Gibbs)
\ / I'm really at ac.dekanfrus if you read it the right way.
X Top-posted messages will probably be ignored. See RFC1855.
/ \ HTML will DEFINITELY be ignored. Join the ASCII ribbon campaign!

On Fri, 10 Oct 2003 09:56:38 +0100, Allan Bruce wrote:

>
> "Leon The Peon" <(E-Mail Removed)> wrote in message
> news:bm58nh$aio$(E-Mail Removed)...
>>
>> "Allan Bruce" <(E-Mail Removed)> wrote in message
>> news:bm4fl6$lrn$(E-Mail Removed)...
>> > Hello there,
>> >
>> > I just ran a port scan on my machine, and found that my port 22222 is
> open
>> > to attack by a trojan horse.
>>
>> Does this mean that you have a trojan horse installed ?
>> hmm.
>>
>>
>> >I tried to reject this in iptables but it
>> > hasnt done anything.
>>
>> >Is this a problem?
>>
>> Probably not.
>> the port scan didnt tell you much because it was run inside the firewall.
>> to test your firewall you have to run the portscan aimed at your machine,
>> but outside the firewall - eg on a friends system.
>
> I ran the test at http://security.symantec.com
> Which alerted me to the problem.
>
>>
>> > Does anybody know how to get around
>> > this?
>>
>> Run the port scanner on another machine aimed at your machine.
>>
>> Your change to iptables might have worked to secure your box from outside
>> attack, but your test for the effect did not work.
>>
>> Actually you should block all ports and only open up those that you want
> to
>> have open. eg port 80 to allow a web server to work.
>
> I now have every single port blocked apart from my port 80 for apache, and a
> aselect few others which dont seem to be "common" ports for attack (i.e. I
> have selected them as >10000)
>
>
>>
>>
>> Anyone who called Allan Bruce stupid is a right arsehole. The only way
> to
>> learn this fact about firewalling is to be told.
>>
>
> Thanks, I felt some of the replies were a little short!

FWIW The http://security.symantec.com test does not work on Linux boxes,
according to the notice I received when I tried to use their test. It
worked fine on my XP box.

Cheers,

Thorg

On Tue, 21 Oct 2003 01:59:46 GMT,
Thorg Thorgussonne <(E-Mail Removed)> wrote:
> FWIW The http://security.symantec.com test does not work on Linux
> boxes, according to the notice I received when I tried to use their
> test. It worked fine on my XP box.

It works fine, just lie about the OS, and possibly the browser.

I just ran it using lynx on Debian 3.0r1.

Michael C.
--
(E-Mail Removed) http://mcsuper5.freeshell.org/
Registered Linux User #303915 http://counter.li.org/