# port 1234 hotline [solved]

## Superduck

Just scanned (nmap) my gentoo server and found out that there was a strange service running. On port 1234 a hotline service was running. After googling for some time I found out that this seems to be an serv-u ftp running. The strange thing is that it's filtered and the normal  tools (ps, top) etc. doesn't show it, but then again they might as well just have replaced these.

Any tips other than reinstalling? Anyone know more about this hotline service?Last edited by Superduck on Sun Apr 18, 2004 6:00 pm; edited 1 time in total

----------

## garn

netstat -antp as root

does that show port 1234 and what process is using it?

----------

## speed_bump

 *Superduck wrote:*   

> Just scanned (nmap) my gentoo server and found out that there was a strange service running. On port 1234 a hotline service was running. After googling for some time I found out that this seems to be an serv-u ftp running. The strange thing is that it's filtered and the normal  tools (ps, top) etc. doesn't show it, but then again they might as well just have replaced these.
> 
> Any tips other than reinstalling? Anyone know more about this hotline service?

 

It doesn't sound good. If you didn't install this, and you can't see the processes, I'm betting you won't see anything with netstat either. As you note, the executables may well have been replaced. The other possibility is that there's a kernel module loaded which is hiding things at the kernel level. Not cool.

In any case, the only way to really be sure your system is clean will be to reinstall. However, on the bright side you have an opportunity to look over your system and see what they've done. It can be very interesting and very instructive. Take a good look at it before reinstalling. 

To take a good look at the system, you should probably boot off of a liveCD and mount the filesystems read-only. Typical hiding places for rootkits include /dev and /var where weird looking names are easily overlooked. The chkrootkit program may be able to locate the rootkit as well, although if things are being hidden by a kernel module it may not tell you much.

If you can find the location of the rootkit you may be able to "unhide" its activities and get a better handle on the extent of the intrusion. Other typical things to look for are ssh running on a high numbered port, IRC bots listening (port 6667), trojaned executables (login, ssh, telnet, etc) - to pick up local passwords, and a packet sniffer. 

The major problem is that there are simply too many ways to create back doors into the system to be sure that you've gotten them all if you clean it up by hand. The only way to be sure of your system integrity after this point will be fdisk and reinstall. It sucks, but better safe than sorry.

Best of luck!

----------

## Superduck

speed_bump: Thanx for the tips. 

I thought someone would know something about this hotline service as nmap seems to know what it is...

----------

## Superduck

 *garn wrote:*   

> netstat -antp as root
> 
> does that show port 1234 and what process is using it?

 

Nothing shows up. The funny thing is that it's filtered also, so telnet'ing to the port doesn't work.

----------

## speed_bump

 *Superduck wrote:*   

> speed_bump: Thanx for the tips. 
> 
> I thought someone would know something about this hotline service as nmap seems to know what it is...

 

Well, in this case, it's most likely that nmap is simply reporting the typical use of the port which appears to be the hotline p2p app. It's very possible for any other program to listen on that TCP port so we don't know anything for certain yet. Is nmap reporting the port as filtered, or are you just unable to connect? Do you have any sort of firewall between your scanning machine and the gentoo machine? 

It may be that I'm jumping to conclusions here, so let's cover all of our bases before taking drastic action. Can you describe in more detail how your network is set up and how you're conducting the scan? Nothing fancy, just a quick overview might shed some light on this.

Thx.

----------

## Superduck

 *speed_bump wrote:*   

>  *Superduck wrote:*   speed_bump: Thanx for the tips. 
> 
> I thought someone would know something about this hotline service as nmap seems to know what it is... 
> 
> Well, in this case, it's most likely that nmap is simply reporting the typical use of the port which appears to be the hotline p2p app. It's very possible for any other program to listen on that TCP port so we don't know anything for certain yet. Is nmap reporting the port as filtered, or are you just unable to connect?

 

It's nmap that is reporting the port as filtered. 

 *speed_bump wrote:*   

>  Do you have any sort of firewall between your scanning machine and the gentoo machine? 

 

Key question. I scanned my server on both sides of the router and it seems that the port 1234 is only showing up when I'm scanning from the outside. This lead me to thinking that the router had opened the port for something and after logging in, I could confirm that this was really the case  :Smile: 

So it seems there was no problem after all.

The original link that got me really worried was:

http://www.westernlug.org/mail-archives/2003-January/006478.html

I normally is pretty paranoid about security and for that reason I run only a minimal number of services, but I have for a long time not firewalled my mail and imap server which lead me to believe that they might have been compromised. 

 *speed_bump wrote:*   

> 
> 
> It may be that I'm jumping to conclusions here, so let's cover all of our bases before taking drastic action. Can you describe in more detail how your network is set up and how you're conducting the scan? Nothing fancy, just a quick overview might shed some light on this.
> 
> Thx.

 

Thank you.

----------

