Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: port 768

From: bugtraq () NETWORKICE COM (Robert Graham)
Date: Thu, 27 Jan 2000 13:05:46 -0800

Linux puts a lot of its RPC services on ports between 512-1024. Since the
installation of a distro doesn't have much variance, the result is that the
same service will likely end up at the same port.

Therefor, I'm guessing that the 768 is a rpc.mountd port common to the
particular distro the hacker has an exploit for. I'm not sure how you
identified the initial rpc.mountd (635 was common in RedHat 5.0 for mountd,
or it may have been from an rpcbind getport on port 111).

Robert Graham

-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () securityfocus com]On
Behalf Of Guido A.J. Stevens
Sent: Thursday, January 27, 2000 8:54 AM
To: INCIDENTS () securityfocus com
Subject: port 768

Hi folks,

Somebody from South America is walking our ip range, trying for
rpc.mountd and port 768. I've never seen port 768, does anybody know
what they're looking for?

:*CU#

--
***    Guido A.J. Stevens      ***    mailto:gyst () nfg nl    ***
***    Net Facilities Group    ***    tel:+31.43.3618933    ***
***    http://www.nfg.nl       ***    fax:+31.43.3560502    ***

Around the world there are networks of spy stations and spy
satellites which can intercept communications anywhere on the
planet.
[Hager, ISBN 0-908802-35-8, p.56]
Previous By Date Next
Previous By Thread Next

Current thread: