Security Incidents mailing list archives
Re: afs3 exploit??
From: coldfire () CLOSED-NETWORKS COM (Cold Fire)
Date: Wed, 31 May 2000 03:23:06 +0100
On Thu, May 25, 2000 at 01:30:07PM -0500, elijah wright wrote:
dear bugtraq, is there a new afs3 exploit making the rounds? i keep getting connections to port 7007, afs3-bos (basic overseer process) even though i've never touched afs3 in my life. :) ideas?? obviously, the connections are coming from hosts that are foreign to me and look fairly suspicious. :) i
I saw this recently, don't know if its connected but I'd assume that its a trjoan rather than AFS as its running on a dialin user's windows 98 box, I may be wrong on this because I have no knowledge of windows boxes and the only AFS machives I've seen have been unix servers running Andrews File System. This may be a legitimate service in windows 98, I've not been interested enough to investigate further. log:- attack:~> nc -vv victim.com 7007 victim.com [xxx.xxx.xxx.xxx] 7007 (?) open PWDguest error reading password... sent 7, rcvd 28 attack:~> That was from me sending guest<return><return> the "PWD" bit and the "error reading password..." were from the Windows 98 box. Incidently the window box is not mine and I have no access to it, so I have no idea what legitimate services may be running, but I can confirm it is a standard, none technical user's, home Windows 98 machine hence my sucpitions of a trojan. Steve -- 'Cold Fire, Britains most notorious hacker' Observer, July 1997 'The most recent conviction was that of [Cold Fire] whose On-line escapades spanned from hacking into educational sites to more sinister activities such as tapping into industrial and United States military sites.' DC Paul Cox, SO6 Scotland Yard CCU
Current thread:
- Re: afs3 exploit?? Cold Fire (May 30)
- Re: afs3 exploit?? Charles Clancy (Jun 01)
- Re: afs3 exploit?? Sebastian Ip (Jun 02)
- TCP Scans to port 21656 Federico Grau (Jun 02)
- Re: afs3 exploit?? Charles Clancy (Jun 01)