# it should be backdoor?

## r420r

hi all, i was sniffed my network i had this result

>>> sniff(iface="tun0", filter="port 33296", prn=lambda x: x.show())

###[ IP ]###

  version= 0L

  ihl= 0L

  tos= 0x0

  len= 2

  id= 17664

  flags=

  frag= 124L

  ttl= 138

  proto= 251

  chksum= 0x0

  src= 114.17.247.99

  dst= 77.239.228.230

  options= ''

###[ Raw ]###

     load= 'X\xf7'

###[ Padding ]###

        load= ':E\x06\xc5\x82\x10\x00hm\xc1\xf2\x16\x02y\x93\xc1Q]#\x8d\\M\x13\xc3\xc98\

x895/\xf2\x00|m\x1d\x13\xe7A\xbbM@\xd0;\xdeR^\xff\xc4\xe8\xb3\x06t\xe0\xa9\x18\xf8\xe8\

xbf>\xf6\xe3P@P\x96m\x19r\x88\xa9\xa6)\xcd\xb3\x99(\x9b\x8ca\xdeG\xd5x\\\xf5z\xa1\xf2\x801\

xbcE\x9ek\xa84\xff\x97\xb8\xfa\xf6\x02:\xd6\x062|'

that is coming from remote computer

i was scan my computer with nmap

newton isaac # nmap localhost -P0 -sU

Starting Nmap 4.60 ( http://nmap.org ) at 2008-05-22 17:09 CEST

sendto in send_ip_packet: sendto(4, packet, 28, 0, 127.0.0.1, 16) => Operation not permitted

Offending packet: UDP 127.0.0.1:48009 > 127.0.0.1:162 ttl=45 id=42515 iplen=28 

sendto in send_ip_packet: sendto(4, packet, 28, 0, 127.0.0.1, 16) => Operation not permitted

Offending packet: UDP 127.0.0.1:48010 > 127.0.0.1:162 ttl=46 id=61534 iplen=28 

sendto in send_ip_packet: sendto(4, packet, 28, 0, 127.0.0.1, 16) => Operation not permitted

Offending packet: UDP 127.0.0.1:48009 > 127.0.0.1:161 ttl=49 id=51586 iplen=28 

sendto in send_ip_packet: sendto(4, packet, 28, 0, 127.0.0.1, 16) => Operation not permitted

Offending packet: UDP 127.0.0.1:48010 > 127.0.0.1:161 ttl=53 id=55886 iplen=28 

Interesting ports on newton (127.0.0.1):

Not shown: 1486 closed ports

PORT    STATE         SERVICE

161/udp open|filtered snmp

162/udp open|filtered snmptrap

Nmap done: 1 IP address (1 host up) scanned in 1.534 seconds

newton isaac # nmap localhost -P0 -sU

Starting Nmap 4.60 ( http://nmap.org ) at 2008-05-22 17:16 CEST

sendto in send_ip_packet: sendto(4, packet, 28, 0, 127.0.0.1, 16) => Operation not permitted

Offending packet: UDP 127.0.0.1:48384 > 127.0.0.1:162 ttl=57 id=51835 iplen=28 

sendto in send_ip_packet: sendto(4, packet, 28, 0, 127.0.0.1, 16) => Operation not permitted

Offending packet: UDP 127.0.0.1:48384 > 127.0.0.1:161 ttl=43 id=5579 iplen=28 

sendto in send_ip_packet: sendto(4, packet, 28, 0, 127.0.0.1, 16) => Operation not permitted

Offending packet: UDP 127.0.0.1:48385 > 127.0.0.1:161 ttl=45 id=42307 iplen=28 

sendto in send_ip_packet: sendto(4, packet, 28, 0, 127.0.0.1, 16) => Operation not permitted

Offending packet: UDP 127.0.0.1:48385 > 127.0.0.1:162 ttl=42 id=50926 iplen=28 

Interesting ports on newton (127.0.0.1):

Not shown: 1486 closed ports

PORT    STATE         SERVICE

161/udp open|filtered snmp

162/udp open|filtered snmptrap

it should be backdoor ? is that possible ?

my dmesg 

bsalg: parser failed

bsalg: parser failed

bsalg: parser failed

bsalg: parser failed

newton isaac # uname -a

Linux newton 2.6.23-hardened-r9 #8 SMP Wed Apr 23 00:19:18 CEST 2008 i686 Genuine Intel(R) CPU T2130 @ 1.86GHz GenuineIntel GNU/Linux

put in a couple linebreaks to fix long line --bunder

----------

## anxt

I don't follow the operation not permitted, perhaps it has to do with the hardened.

Are you running an SNMP?  SNMP read-write communities misconfigured could be quite a source of headache.

IE people can turn off your uplink port, find out all kinds of info, etc.

i don't think the -P0 should be necessary on localhost, since i have never firewalled my loopback connection (perhaps that is something hardened does?)

As far as for intercepted packets, maybe use snort or something to look for eggs.  if a packet contains for example the string "/bin/sh"  it might be worth further scrutiny.

Not as a criticism, but it seems to me sharing too much info about kernel versions, or even boasting uptime can reveal the last time a necessary patch was applied.  Just food for thought.

----------

## desultory

Not every vulnerability requires a reboot to repair.

----------

## r420r

 *anxt wrote:*   

> I don't follow the operation not permitted, perhaps it has to do with the hardened.
> 
> Are you running an SNMP?  SNMP read-write communities misconfigured could be quite a source of headache.
> 
> IE people can turn off your uplink port, find out all kinds of info, etc.
> ...

 

snmp not working on my system !

newton isaac # eix snmp 

* dev-perl/Net-SNMP

     Available versions:  5.2.0

     Homepage:            http://www.cpan.org/modules/by-module/Net/Net-SNMP-5.2.0.readme

     Description:         A SNMP Perl Module

* dev-perl/SNMP_Session

     Available versions:  0.92-r1

     Homepage:            http://www.switch.ch/misc/leinen/snmp/perl/

     Description:         A SNMP Perl Module

* dev-python/pysnmp

     Available versions:  2.0.8 (~)2.0.9 (~)3.4.2 (~)4.1.8a

     Homepage:            http://pysnmp.sf.net/

     Description:         SNMP framework in Python. Not a wrapper.

* dev-python/pysnmp-apps

     Available versions:  (~)0.2.6a

     Homepage:            http://pysnmp.sf.net/

     Description:         SNMP framework in Python - applications

* dev-python/pysnmp-mibs

     Available versions:  (~)0.0.5a

     Homepage:            http://pysnmp.sf.net/

     Description:         SNMP framework in Python - mibs

* dev-python/twistedsnmp

     Available versions:  (~)0.2.9

     Homepage:            http://twistedsnmp.sourceforge.net/

     Description:         SNMP protocols and APIs for use with the Twisted networking framework

* dev-ruby/snmplib

     Available versions:  0.5.1 0.6.1 (~)1.0.1 {doc examples}

     Homepage:            http://snmplib.rubyforge.org/

     Description:         SNMP library implemented in pure Ruby

* net-analyzer/bsnmp

     Available versions:  ~*1.11a {tcpd}

     Homepage:            http://people.freebsd.org/~harti/

     Description:         Mini-SNMP Daemon and Library

* net-analyzer/nagios-plugins-snmp

     Available versions:  (~)0.5.5

     Homepage:            http://nagios.manubulon.com

     Description:         Additional Nagios plugins for monitoring SNMP capable devices

* net-analyzer/net-snmp

     Available versions:  (~)5.2.2-r3 (~)5.3.1-r1 5.4 5.4.1-r1 5.4.1-r3 {X diskio doc elf extensible ipv6 lm_sensors mfd-rewrites minimal perl python rpm selinux sendmail smux ssl tcpd}

     Homepage:            http://net-snmp.sourceforge.net/

     Description:         Software for generating and retrieving SNMP data

* net-analyzer/snmptt

     Available versions:  1.2 {mysql postgres}

     Homepage:            http://www.snmptt.org/

     Description:         SNMP Trap Translator

* net-libs/libksnmp

     Available versions:  (~)0.3 {arts debug elibc_FreeBSD xinerama}

     Homepage:            http://dev.gentoo.org/~flameeyes/kdeapps#libksnmp

     Description:         KDE library to access SNMP statistics

* sec-policy/selinux-snmpd

     Available versions:  20070329 20070928 (~)20080525

     Homepage:            http://www.gentoo.org/proj/en/hardened/selinux/

     Description:         SELinux policy for snmp daemons

* www-apache/mod_ap2_snmp

     Available versions:  (~)1.04

     Homepage:            http://mod-apache-snmp.sourceforge.net/

     Description:         mod_ap2_snmp allows to monitor the Apache Web Server by SNMP

not installed

iptables -A INPUT -j DROP -p udp --destination-port 33296

iptables -A INPUT -j DROP -p udp --destination-port 161

iptables -A INPUT -j DROP -p udp --destination-port 162

i blocked this like ports but i dont know what will i do

newton isaac # lsmod |nopaste

http://rafb.net/p/ouavDQ42.html

newton isaac # lsof |nopaste

http://rafb.net/p/Ga3jmE72.html

newton isaac # 

how i can close this port?

----------

## r420r

newton isaac # uname -a

Linux newton 2.6.24-hardened-r2 #1 SMP Thu May 29 21:22:19 CEST 2008 i686 Genuine Intel(R) CPU T2130 @ 1.86GHz GenuineIntel GNU/Linux

same prob...

----------

## octanez

can you try running nmap with the "-A" flag (after removing your firewall rules) and see what service NMAP thinks is running on that port rather than what is officially registered for that port.

----------

## kerframil

r420r, would you please mark this thread as solved? As I mentioned on freenode:Operation not permitted errors will occur in nmap if you are disallowing INVALID packets on your OUTPUT chainThe reason the ports are showing as "open|filtered" is because - and as you neglect to mention in your original post - your iptables rules explicitly DROP packets targetted to the ports in question (which are not even bound by an application in the first place)The junk traffic you receive from your Internet-connected interface is not uncommon and, in itself, does not imply a compromiseTo explain further on the second point, UDP - unlike TCP - is connectionless. Under normal circmustances, if a UDP packet arrives at an unbound port, that is, a port not in use by a service, then nothing will be emitted in response. However, in your attempt to "close" the port (quotes intended as what you are really doing is filtering the port), you are actually causing an ICMP packet (of type icmp-unreachable) to be returned to the scanning host. The moral of the story is to never filter traffic to UDP ports that are not actually in use by a service/application.

In this case, nmap will receive the icmp-unreachable packet and, simply by way of the response, it will deduce that the port is open and filtered. Get rid of the offending iptables rules and both ports should disappear in your scan.

As for the bsalg parser error (which refers to the nf_nat_snmp_basic module), I am not sure what is causing that but I don't believe it to be connected to the aforementioned.

----------

## kerframil

Also, I forgot to mention that "open|filtered" means that nmap can't necessarily tell whether the port is open or filtered and is therefore not conclusive. UDP scans are generally not reliable. Upstream says this about UDP scans:If an ICMP port unreachable error (type 3, code 3) is returned, the port is closedOther ICMP unreachable errors (type 3, codes 1, 2, 9, 10, or 13) mark the port as filteredMy suggestion would be to run tcpdump to see what is going on and scan yourself both with and without the iptables rules I refer to in place. I still think your problems will be solved by removing them.

----------

## r420r

ok now i havent prob.  because i update my all system

no backdoor etc.. now

----------

