The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Strange Hack - listen port Alert!!! (FIRST TIME)

Discussion in 'General Discussion' started by claudio, Oct 16, 2004.

  1. claudio

    claudio Well-Known Member

    Joined:
    Jul 31, 2004
    Messages:
    201
    Likes Received:
    0
    Trophy Points:
    16
    well, today i received my first LSM alert (after more than 3 months) 20 minutes after morning cron without cpanel updates or daily backups


    Following is a summary of new Internet Server Sockets:
    tcp 0 0 localhost:54810 0.0.0.0:* LISTEN 702/language.php

    Following is a summary of a new Unix Domain Sockets:
    no changes to Unix Domain Sockets


    How can i track this stuff?


    so i went to SSH and:

    1) no port 702 at all but i realise :

    i found: 783/tcp open hp-alarm-mgr - suspicious

    netstat -na
    127.0.0.1:783 Listen

    nmap -sS 127.0.0.1

    111/tcp open rpcbind (this is really open at /etc/services ->

    "sunrpc 111/tcp portmapper # RPC 4.0 portmapper TCP"

    783/tcp open hp-alarm-mgr - suspicious not listed neither in /etc/apf/conf.apf nor at /etc/services

    953/tcp open rndc - this also is not listed in services or apf


    ***
    i also found an ip already blocked in apf that kernel didnt drop without any netstat trafic i rebooted to get away of it - he was jammed in 43089 port:
    http://www.seifried.org/security/ports/43000/43089.html
    ****

    runned rkhunter no rootkits and i dont know if rkhunter is "outdate"

    also locate some language.php but found just cpanel's files

    share with me your experiences sirs and thanks

    Claudio :confused:
     
  2. claudio

    claudio Well-Known Member

    Joined:
    Jul 31, 2004
    Messages:
    201
    Likes Received:
    0
    Trophy Points:
    16
    spamd

    Hi

    I found some information and after a

    fuser -n <proto> <port>

    could confirm that spamd was using port 783

    is it really necessary?

    and i still cant know what LSM 702/language.php have to do with all this

    regards

    Claudio
     
    #2 claudio, Oct 16, 2004
    Last edited: Oct 16, 2004
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    I would guess that that is the port that spamc talks to spamd on if you have SpamAssassin enabled in WHM.

    The other one definitely looks suspicious. If the port is still open, you could identify the file using:

    lsof | grep language.php

    If that doesn't show the location of the file, you'll have to search your disks, starting with the /home partition:

    find /home -name language.php
     
  4. claudio

    claudio Well-Known Member

    Joined:
    Jul 31, 2004
    Messages:
    201
    Likes Received:
    0
    Trophy Points:
    16
    Chirpy rules!

    Hi

    first of all thank you Chirpy you are really great helping us : )

    port was no longer listening when i received the SLM Alert

    i already searched in /home

    i just found and old /.fantasticodata/language.php imported from an account of other host who used fantastico

    and

    browser language detection logic Copyright phpMyAdmin (select_lang.lib.php3 v1.24 04/19/2002)

    used by oscommerce application of a customer

    ??????

    A little bit obscure

    Claudio
     
Loading...

Share This Page