Re: Port 9088

[George Bakos <alpinista () BIGFOOT COM>]

As it is obvious from your activity that you are 100% authorized to perform these scans, I
recommend that you also scan for other adjacent ports in the same address range and see
if you get any more "filtered" results.  Nmap is not a very intuitive tool.  It interprets packets
returning to the scanning host according to some very simple rules.  No reply, or an ICMP
type 3 will result in the "filtered" reporting.  That does not mean anything is really there.  My
guess is that these boxes' ipchains rulesets are actually holding very nicely, or the machines
don't even exist.  You did a plain-vanilla scan including the initial ping, right?

On Wed, 04 Oct 2000, you wrote:
> A couple threads on this list have mentioned port 9088 as either the
> default port for an exploit (rpc.statd), or just a generally preferred port
> for rootshells.
>
> I know that many of the residential DSL customers on my network use Linux,
> and many of them have default installs that have never been updated, so I
> did some portscanning (nmap -sT -p 9088 <network>/<mask>).  I found more
> hosts than I'd expected reporting something like:
>
> Interesting ports on hax0red.whoopsie.com (10.0.0.3):
> Port    State       Protocol  Service
> 9088    filtered    tcp       unknown
>
> All of them are filtered.
>
> I see two possibilities -- the cracker in question is using ipchains or
> something similar to secure the rootshell against other barbarian
> hordlings, or perhaps there is some service that actually runs at 9088.
>
> So my question is, is there some software or other that listens on this
> port, or is there a pretty good chance that every IP reporting an open port
> 9088 has been compromised?  Is there a way of testing, even though nmap
> reports the port as filtered?
>
> Thanks for any help,
>
> Todd