search

Magentron / chkrootkit

This program locally checks for signs of a rootkit. 'Forked' to fix false-positive for SucKIT rootkit
http://www.chkrootkit.org/
Other
220 stars 57 forks source link

icinga2 api port gets detected as bindshell #8

Open braegel opened 5 years ago

braegel commented 5 years ago 
Checking `bindshell'...                                     INFECTED (PORTS:  5665)
root@device ~ # netstat -tulpen | grep 5665
tcp        0      0 0.0.0.0:5665            0.0.0.0:*               LISTEN      121        23103      1806/icinga2
root@heimeran ~ # nmap -sV localhost -p 5665
PORT     STATE SERVICE     VERSION
5665/tcp open  ssl/unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port5665-TCP:V=7.40%T=SSL%I=7%D=7/9%Time=5D24301B%P=x86_64-pc-linux-gnu
SF:%r(GetRequest,A2,"HTTP/1\.0\x20401\x20Unauthorized\r\nContent-Type:\x20
SF:text/html\r\nWWW-Authenticate:\x20Basic\x20realm=\"Icinga\x202\"\r\nCon
SF:tent-Length:\x2021\r\nServer:\x20Icinga/r2\.6\.0-1\r\n\r\n<h1>Unauthori
SF:zed</h1>")%r(HTTPOptions,AD,"HTTP/1\.0\x20400\x20Wrong\x20Accept\x20hea
SF:der\r\nContent-Type:\x20text/html\r\nContent-Length:\x2067\r\nServer:\x
SF:20Icinga/r2\.6\.0-1\r\n\r\n<h1>Accept\x20header\x20is\x20missing\x20or\
SF:x20not\x20set\x20to\x20'application/json'\.</h1>")%r(RTSPRequest,9A,"HT
SF:TP/1\.1\x20400\x20Bad\x20request\r\nTransfer-Encoding:\x20chunked\r\nSe
SF:rver:\x20Icinga/r2\.6\.0-1\r\n\r\n3e\r\n<h1>Bad\x20request</h1><p><pre>
SF:Unsupported\x20HTTP\x20version</pre></p>\r\n0\r\n\r\n")%r(Help,96,"HTTP
SF:/1\.1\x20400\x20Bad\x20request\r\nTransfer-Encoding:\x20chunked\r\nServ
SF:er:\x20Icinga/r2\.6\.0-1\r\n\r\n3a\r\n<h1>Bad\x20request</h1><p><pre>In
SF:valid\x20HTTP\x20request</pre></p>\r\n0\r\n\r\n")%r(SSLSessionReq,96,"H
SF:TTP/1\.1\x20400\x20Bad\x20request\r\nTransfer-Encoding:\x20chunked\r\nS
SF:erver:\x20Icinga/r2\.6\.0-1\r\n\r\n3a\r\n<h1>Bad\x20request</h1><p><pre
SF:>Invalid\x20HTTP\x20request</pre></p>\r\n0\r\n\r\n")%r(TLSSessionReq,96
SF:,"HTTP/1\.1\x20400\x20Bad\x20request\r\nTransfer-Encoding:\x20chunked\r
SF:\nServer:\x20Icinga/r2\.6\.0-1\r\n\r\n3a\r\n<h1>Bad\x20request</h1><p><
SF:pre>Invalid\x20HTTP\x20request</pre></p>\r\n0\r\n\r\n")%r(Kerberos,96,"
SF:HTTP/1\.1\x20400\x20Bad\x20request\r\nTransfer-Encoding:\x20chunked\r\n
SF:Server:\x20Icinga/r2\.6\.0-1\r\n\r\n3a\r\n<h1>Bad\x20request</h1><p><pr
SF:e>Invalid\x20HTTP\x20request</pre></p>\r\n0\r\n\r\n")%r(FourOhFourReque
SF:st,A2,"HTTP/1\.0\x20401\x20Unauthorized\r\nContent-Type:\x20text/html\r
SF:\nWWW-Authenticate:\x20Basic\x20realm=\"Icinga\x202\"\r\nContent-Length
SF::\x2021\r\nServer:\x20Icinga/r2\.6\.0-1\r\n\r\n<h1>Unauthorized</h1>")%
SF:r(LPDString,96,"HTTP/1\.1\x20400\x20Bad\x20request\r\nTransfer-Encoding
SF::\x20chunked\r\nServer:\x20Icinga/r2\.6\.0-1\r\n\r\n3a\r\n<h1>Bad\x20re
SF:quest</h1><p><pre>Invalid\x20HTTP\x20request</pre></p>\r\n0\r\n\r\n")%r
SF:(SIPOptions,152,"HTTP/1\.1\x20400\x20Bad\x20request\r\nTransfer-Encodin
SF:g:\x20chunked\r\nServer:\x20Icinga/r2\.6\.0-1\r\n\r\n4d\r\n<h1>Bad\x20r
SF:equest</h1><p><pre>Invalid\x20URL:\x20'/'\x20expected\x20after\x20schem
SF:e\.</pre></p>\r\n0\r\n\r\nHTTP/1\.1\x20400\x20Bad\x20request\r\nTransfe
SF:r-Encoding:\x20chunked\r\nServer:\x20Icinga/r2\.6\.0-1\r\n\r\n4d\r\n<h1
SF:>Bad\x20request</h1><p><pre>Invalid\x20URL:\x20'/'\x20expected\x20after
SF:\x20scheme\.</pre></p>\r\n0\r\n\r\n");