The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

port 6969 hacK?

Discussion in 'General Discussion' started by tomtom2002, Apr 17, 2004.

  1. tomtom2002

    tomtom2002 Member

    Joined:
    Mar 15, 2004
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    hello guys
    I think I have been hacked.....
    6969/tcp filtered acmsoda

    I saw that on my dedicated servers for few time...
    how to fix this backdoor?
    thx
     
  2. parasane

    parasane Well-Known Member

    Joined:
    Oct 19, 2003
    Messages:
    48
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Dickson City, Pennsylvania (USA)
    If strange things are happening on your server coinciding with the :6969 connection, congratulations --- you've been rooted.

    There's an application that runs on *nix and Linux servers on that port named "Netwin DSMTP" ( I think only version 2.7q). Unfortunately, there's a widely-publicized exploit on that to allow an attacker to gain remote entry and bind the port to /bin/sh (see why this is bad?).

    Here's the suggestion:

    Code:
    netstat -nvp | grep -i :6969
    You'll see a line similar to this:

    Code:
    tcp        1      0 123.45.67.89:6969     66.66.66.66:32940       ESTABLISHED  31475/DSMTP - ser
    (It probably won't look exactly like that, and it will only say "ESTABLISHED" if the port is receiving traffic. It may instead say "LISTENING" and be marked with asterisks [ * * ], but you get the picture.)

    Take the important information from here --- the PID. In this example, it's 31475. Issue the following command as root:

    Code:
    kill -9 31475
    (or whatever the PID was on your machine)

    That'll SIGTERM the process out, dropping the connection. Next, upgrade to Dmail v2.7r, which is immune to this particular exploit.

    Here's the URL for the upgrade: ftp://ftp.netwinsite.com/pub/dmail/

    Hope that helps.
     
Loading...

Share This Page