[mythtv-users] pcHDTV.com defaced AGAIN
Andrew Dodd
atd7 at cornell.edu
Sat Dec 25 03:06:20 UTC 2004
Quoting Anthony Vito <anthony.vito at gmail.com>:
> > The fix is to upgrade php itself to a non-vulnerable version I believe.
> >
> > Google are supposed to have blocked the search that the worm was using
> > to spread itself though.
>
> Probably not something to bet the house on. Anyone could still
> manually exploit the security hole as well..... I haven't seen any
> change from the server yet.... like... a basic firewall....
>
> ]# nmap -sS pchdtv.com
>
> Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2004-12-22 10:51 EST
> Interesting ports on powell.slcinet.net (128.121.217.18):
> (The 1635 ports scanned but not shown below are in state: closed)
> PORT STATE SERVICE
> 21/tcp open ftp
> 22/tcp open ssh
> 23/tcp open telnet
> 25/tcp open smtp
> 79/tcp open finger
> 80/tcp open http
> 106/tcp open pop3pw
> 110/tcp open pop-3
> 119/tcp open nntp
> 139/tcp open netbios-ssn
> 143/tcp open imap
> 443/tcp open https
> 513/tcp open login
> 514/tcp open shell
> 587/tcp open submission
> 990/tcp open ftps
> 992/tcp open telnets
> 993/tcp open imaps
> 995/tcp open pop3s
> 2401/tcp open cvspserver
> 3306/tcp open mysql
> 5190/tcp open aol
>
>
> I haven't seen an internet server this unsecure since the Helsinki
> incident of 1919, and I think we all know how that turned out.
Just a comment - Doing a portscan of a machine AFTER it is known to have been
compromised is kind of pointless.
You have no idea which of those particular ports may have been opened up by
whoever compromised the box.
----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.
More information about the mythtv-users
mailing list