Security Incidents mailing list archives
Re: TCP Port 9704 Scans
From: Fredrik Ostergren <fredrik.ostergren () FREEBOX COM>
Date: Sat, 28 Oct 2000 09:30:14 -0000
Hi! I believe it's a simple bindshell from some statd worm which listens on port 9704. A simple 'cat /etc/inetd.conf | grep 9704' would see if you are hacked. Thank you! / Fredrik O.
Hello all, I gathered much of the following information from a
number of users on the
Snort mailing list (www.snort.org). We came to realize that there have been massive
port scans from a number of
IPs (one user reported over 30,000 connects to his
network) attempting to
connect to port 9704. This seems to be am attempt
to locate backdoors
installed via the recent rpc.statd exploit (http://www.cert.org/advisories/CA-2000-17.html),
which by default adds a
root shell to this port. Here is a paste of packet info from Snort: [**] SCAN-SYN FIN [**] 10/23-04:54:46.999137 216.78.161.105:9704->
my.ho.me.ip:9704
TCP TTL:24 TOS:0x0 ID:39426 ******SF Seq: 0x41B2FB01 Ack: 0x6173C91 Win:
0x404
There are also many incidents of this reported at http://www.sans.org/giac.htm DmuZ ---------------------------------------------------------------- perl -e '$_=q/bill@micro$oft.com/; \ s/bill/dmuz/;s/micro/angry/; \ s/\$oft/packet/;print $_."\n"' ----------------------------------------------------------------
Current thread:
- TCP Port 9704 Scans DmuZ (Oct 28)
- <Possible follow-ups>
- Re: TCP Port 9704 Scans Fredrik Ostergren (Oct 31)