[mythtv-users] pcHDTV.com defaced AGAIN

Andrew Dodd atd7 at cornell.edu
Sat Dec 25 03:06:20 UTC 2004


Quoting Anthony Vito <anthony.vito at gmail.com>:

> > The fix is to upgrade php itself to a non-vulnerable version I believe.
> >
> > Google are supposed to have blocked the search that the worm was using
> > to spread itself though.
>
> Probably not something to bet the house on. Anyone could still
> manually exploit the security hole as well..... I haven't seen any
> change from the server yet.... like... a basic firewall....
>
> ]# nmap -sS pchdtv.com
>
> Starting nmap 3.48 ( http://www.insecure.org/nmap/ ) at 2004-12-22 10:51 EST
> Interesting ports on powell.slcinet.net (128.121.217.18):
> (The 1635 ports scanned but not shown below are in state: closed)
> PORT     STATE SERVICE
> 21/tcp   open  ftp
> 22/tcp   open  ssh
> 23/tcp   open  telnet
> 25/tcp   open  smtp
> 79/tcp   open  finger
> 80/tcp   open  http
> 106/tcp  open  pop3pw
> 110/tcp  open  pop-3
> 119/tcp  open  nntp
> 139/tcp  open  netbios-ssn
> 143/tcp  open  imap
> 443/tcp  open  https
> 513/tcp  open  login
> 514/tcp  open  shell
> 587/tcp  open  submission
> 990/tcp  open  ftps
> 992/tcp  open  telnets
> 993/tcp  open  imaps
> 995/tcp  open  pop3s
> 2401/tcp open  cvspserver
> 3306/tcp open  mysql
> 5190/tcp open  aol
>
>
> I haven't seen an internet server this unsecure since the Helsinki
> incident of 1919, and I think we all know how that turned out.
Just a comment - Doing a portscan of a machine AFTER it is known to have been
compromised is kind of pointless.

You have no idea which of those particular ports may have been opened up by
whoever compromised the box.



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.



More information about the mythtv-users mailing list