Re: afs3 exploit??

[coldfire () CLOSED-NETWORKS COM (Cold Fire)]

On Thu, May 25, 2000 at 01:30:07PM -0500, elijah wright wrote:
> dear bugtraq,
>
> is there a new afs3 exploit making the rounds?  i keep getting connections
> to port 7007, afs3-bos (basic overseer process) even though i've never
> touched afs3 in my life.  :)  ideas??  obviously, the connections are
> coming from hosts that are foreign to me and look fairly suspicious. :)
> i

I saw this recently, don't know if its connected but I'd assume that
its a trjoan rather than AFS as its running on a dialin user's windows
98 box, I may be wrong on this because I have no knowledge of windows
boxes and the only AFS machives I've seen have been unix servers running
Andrews File System. This may be a legitimate service in windows 98,
I've not been interested enough to investigate further.

log:-

attack:~> nc -vv victim.com 7007
victim.com [xxx.xxx.xxx.xxx] 7007 (?) open
PWDguest
error reading password...
 sent 7, rcvd 28
attack:~>

That was from me sending guest<return><return> the "PWD" bit and the
"error reading password..." were from the Windows 98 box.

Incidently the window box is not mine and I have no access to it, so
I have no idea what legitimate services may be running, but I can
confirm it is a standard, none technical user's, home Windows 98 machine
hence my sucpitions of a trojan.

Steve

--
'Cold Fire, Britains most notorious hacker' Observer, July 1997
'The most recent conviction was that of [Cold Fire] whose On-line
escapades spanned from hacking into educational sites to more
sinister activities such as tapping into industrial and United
States military sites.' DC Paul Cox, SO6 Scotland Yard CCU