6 Replies Latest reply: Sep 15, 2013 9:31 PM by Chandan Kumar RSS

    Backdoor Catch-All - How to Fix?

    Chandan Kumar

      Greetings,

       

      I executed McAfee Vulenerability Scanning on my web server and it has captured (Backdoor Catch all). Does anywhere aware how to fix this?

       

      Report details: -

       

      Backdoor Catch-All

       

      Description

      This plugin flags open and unidentified ports that

      backdoors have been known to operate over.

       

      Solution

      Investigate service to determine its legitimacy.

       

      Detail

      This port was found to be open and its service could not be

      identified. Backdoors are known to operate over this port.

      Please verify that a legitimate service is listening on this port.

      ----------------------------------------------------------------

      Backdoor(s) known to operate over port 443 (TCP):

      Slapper

       

      Appreciate your any help.

        • 1. Re: Backdoor Catch-All - How to Fix?
          Heather Mentzer

          Moving Discussion to MVM for an answer.

          • 2. Re: Backdoor Catch-All - How to Fix?
            shaminder.singh

            Hi Team,

             

            I have executed the scan and found the same vulnurability.

             

            Below are the details i have got from scan results:

             

            This port was found to be open and its service could not be

            identified. Backdoors are known to operate over this port.

            Please verify that a legitimate service is listening on this port.

            ----------------------------------------------------------------


            Backdoor(s) known to operate over port 80 (TCP):

            711 trojan (Seven Eleven), AckCmd, BlueFire, Cafeini, Duddie, Executor, God Message, Intruzzo , Latinus, Lithium, MscanWorm, NerTe, Nimda, Noob, Optix Lite, Optix Pro , Power, Ramen, Remote Shell , Reverse WWW Tunnel Backdoor , RingZero, RTB 666, Scalper, Screen Cutter , Seeker, Slapper, Web Server CT , WebDownloader

             

            Can you please suggest the possible fix for this vulnurability.

             

            Thanks,

            Shaminder Singh

            RHCE

            • 3. Re: Backdoor Catch-All - How to Fix?
              John M Sopp

              What this check is saying is that this may be a backdoor-like all of the Top weekly Malware or AV style checks in MVM-there is a high false positive rate. You need to investigate manually and determine what is running on that system on that port.

              Most of the time it's some non malicious service.

              I personally disable these checks-would recommend doing so as MVM is not designed to detect malware well.

              The only use case I see for this check is when you are trying to determine if a system is behaving maliciously based on alerts in other security controls(AV scanners, IPS/IDS, Network forensics) etc-you can use this info as part of your "Evidence" but I wouldn't bank on it without manual investigation.

              • 4. Re: Backdoor Catch-All - How to Fix?
                rhy

                So this message is given basically just a blanket message for any server with port 443 open?

                • 5. Re: Backdoor Catch-All - How to Fix?
                  Chandan Kumar

                  Hi John,

                   

                  I would have to agree with you falst alarm. It was quite strange that in next security scan my report was clean. I know there were nothing done to fix this it's just I tried multiple times and not getting anymore.

                  • 6. Re: Backdoor Catch-All - How to Fix?
                    Chandan Kumar

                    Hi,

                     

                    It was on server with 443 port. I executed scan again and message was gone. quite strange though!