One of the routine checkers (rkhunter) in our systems reported a warning for a backdoor on
port tcp 2128, which in subsequent checks disappeared.
The system now looks fine.
Now, I couldn't find anything detailed around the net, except that in past versions of
rkhunter, that port corresponded to some 'MRK' malware.
Does anybody have any pointer?
Which is the most appropriate strategy to adopt in these cases? Total disconnection &
reinstall in case I don't find any better informations?
Full Version: Port 2128 backdoor?
Hi Saverio
and Welcome at GSF. Hope you'll enjoy our little community.
I assume you're talking about a Linux-based system here, right? So on your regards, I've done some searches at Google and Bing.
Without knowing, what is running on that mentioned system I would do this here:
I would backup the datas running for a multiple and intensive deep-scan of them. Can be that the reason for your reported problem is hidden in a file there.
If possible, I would setup a new system by installing the latest patches and fixes of the OS or maybe looking for a special hardend version of your OS. Restoring the previous checked files after all.
Can you give us some more details about your system like the OS being in use? Thanks in advance for your help
Regards
BU
and Welcome at GSF. Hope you'll enjoy our little community.
I assume you're talking about a Linux-based system here, right? So on your regards, I've done some searches at Google and Bing.
Without knowing, what is running on that mentioned system I would do this here:
I would backup the datas running for a multiple and intensive deep-scan of them. Can be that the reason for your reported problem is hidden in a file there.
If possible, I would setup a new system by installing the latest patches and fixes of the OS or maybe looking for a special hardend version of your OS. Restoring the previous checked files after all.
Can you give us some more details about your system like the OS being in use? Thanks in advance for your help
Regards
BU
The system is a Ubuntu 8.04.
Thanks for the suggestion - of course, being a running server, reinstall everything would have been the last step :-)
Anyway, I checked our two integrity checkers - and they were fine, so I'm assuming no tampering has been done (at least, for the checks).
What have been most likely to be the cause, is a conflict with snort - it was installed by the last system administrator.
We uninstalled it, and we're now monitoring if it happens again.
Thanks!
Saverio
Thanks for the suggestion - of course, being a running server, reinstall everything would have been the last step :-)
Anyway, I checked our two integrity checkers - and they were fine, so I'm assuming no tampering has been done (at least, for the checks).
What have been most likely to be the cause, is a conflict with snort - it was installed by the last system administrator.
We uninstalled it, and we're now monitoring if it happens again.
Thanks!
Saverio
Hi Saverio
You are always Welcome
Regards
B. Udo
You are always Welcome
Regards
B. Udo
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.