6. Which instances of the SSH servers from question 5 were run?
It might be that the attacker run different versions on
different ports at different times.
Anyway, the instances of ssh that we described in the previous
answer were running:
PID | Proc.Name | Name of service that normally uses that port | Port | Proto |
25239 | xopen | 3049 | UDP | |
25241 | xopen | squid-proxy | 3128 | TCP |
3137 | smbd -D | http | 80 | TCP |
3137 | smbd -D | https | 443 | TCP |
3137 | smbd -D | cfinger | 2003 | TCP |
669 | sshd | ssh | 22 | TCP |
Previous | To answer N.7 --> Did any of the SSH servers identified in question 5 appear to have been modified to collect unique information? If so, was any information collected? | Home |