[mythtv-users] pcHDTV.com defaced AGAIN

Anthony Vito anthony.vito at gmail.com
Wed Dec 22 20:56:35 UTC 2004


> First off it's phpbb thats causing the problems. They need to keep phpBB
> up to date. Second, you can't tell that the server is insecure just by
> running that simple nmap command. NMap just returns areas of interest so
> you can look into them further. It says aol but it's just reporting what
> services are known to run on that port. For example I run my mythweb
> apache server on port 1234, which nmap reports as "hotline". Many of
> those services are required for most websites like http/https, ftp, ssh,
> and pop3. Just because those apps are running doesn't mean the server is
> insecure. They could have a firewall running and those are the open
> ports (they might want to firewall mysql, however). Sorry if this is
> getting too OT.

phpbb is merely a signal something needs to be done. people don't
remap ports on production servers that much. I checked out most of the
open ports and they are runnng their respective services, with one
extra mapping. Every open service is just an invitation for exploits,
and something that needs to be added to the patch watch list, so if an
issue comes up it gets fixed before an exploit gets to you. Sometimes,
that's not possible.

]# ftp pchdtv.com
Connected to pchdtv.com (128.121.217.18).
220 ProFTPD 1.2.10 Server (ProFTPD) [128.121.217.18]
Name (pchdtv.com:blah): pchdtv
331 Password required for pchdtv.
Password:
530 Login incorrect.
Login failed.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> quit
221 Goodbye.

]# ssh pchdtv at pchdtv.com
The authenticity of host 'pchdtv.com (128.121.217.18)' can't be established.
RSA key fingerprint is d0:db:8a:cb:74:c8:37:e4:9e:71:fc:7a:eb:d6:40:81.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'pchdtv.com,128.121.217.18' (RSA) to the
list of known hosts.
pchdtv at pchdtv.com's password:

]# telnet pchdtv.com
Trying 128.121.217.18...
Connected to pchdtv.com.
Escape character is '^]'.
 
FreeBSD/i386 (powell.slcinet.net) (ttyp0)
 
login: pchdtv
Password:
Login incorrect

]# finger blah at pchdtv.com
finger: blah: no such user
]# finger pchdtv at pchdtv.com
]#

##### Now we know pchdtv is a valid user on the server..


]# telnet pchdtv.com 5190
Trying 128.121.217.18...
Connected to pchdtv.com.
Escape character is '^]'.
220 powell.slcinet.net ESMTP Sendmail 8.12.11/8.12.9; Wed, 22 Dec 2004
13:30:23 -0700 (MST)

#### You were right about AIM, it's just being used as an email port.

#] telnet pchdtv.com 25
Trying 128.121.217.18...
Connected to pchdtv.com.
Escape character is '^]'.
220 powell.slcinet.net ESMTP Sendmail 8.12.11/8.12.9; Wed, 22 Dec 2004
13:30:52 -0700 (MST)




-- 
Anthony Vito
anthony.vito at gmail.com


More information about the mythtv-users mailing list