well, i had SSH enabled on the machine before i killed it, i am new to Linux but i have been always interested in computer security and some day wish to be a consultant or computer security for a company.
Any how, i checked my log files and came upon a user that is trying to gain access through SSH, from the looks of it, it looks like a program scanning defaults passwords and accounts, hoping to get lucky. I only have 3 ports opened, so i don't think he will get in that easy.
Any how, i wont use the persons real IP address. So i start investigating by doing a whois, Figure out the ISP is Comcast Cable Communications. So i am guessing this is a regular script kiddie just scanning hoping to get lucky. (This is what i thought at first)
So i scan his ip address, and, has some ports opened
Code:
22/tcp open ssh
53/tcp open domain
111/tcp open rpcbind
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
351/tcp filtered matip-type-b
445/tcp filtered microsoft-ds
638/tcp filtered unknown
1080/tcp filtered socks
1720/tcp filtered H.323/Q.931
2401/tcp open cvspserver
3306/tcp open mysql
8888/tcp open sun-answerbook
22321/tcp filtered wnn6_Tw
you can connect to SSH, MySQL, you can also connect to cvspserver but it kicks you out.
I am not really sure what wnn6_Tw is, but i found out that sun-answerbook is a mIRC bot that does many things
Quote:
* custom definitions
* custom random quotes
* dictionary word definition lookups
* language translator for 8 different languages
* domain/whois lookup (supports most major registrars)
* weather forecast for US, Canada and every major city on this planet
* currency converter between 173 countries/currencies
* units converter with 100+ units spread over 14 categories
* thesaurus lookups
* tv show lookups
* news headlines
* movie info and weekend boxoffice stats
* actors/actresses short biography/filmography
* sports schedules and scores
* find distance between two cities
* US & Canada residential/business phone number lookup
* eBay item lookup
* webserver software/OS lookup
* IP/Arin netblock lookup
* stock quote lookup for US & Canadian exchanges
* horoscopes
* spellchecker
* word of the day
|
So what do you guys think, has this computer been rooted and is pretty much a Zombie for scanning out PC's or is it a user trying to break into my PC directly..
I am thinking its a zombie.. and the user doesn't even know.
Would like to hear from some of you and what you think
Thanks in Advance