Security Incidents mailing list archives
Re: port 768
From: gyst () NFG NL (Guido A.J. Stevens)
Date: Fri, 28 Jan 2000 09:58:17 +0100
"Robert Graham" <bugtraq () networkice com> writes:
Therefor, I'm guessing that the 768 is a rpc.mountd port common to the particular distro the hacker has an exploit for. I'm not sure how you identified the initial rpc.mountd (635 was common in RedHat 5.0 for mountd, or it may have been from an rpcbind getport on port 111).
That explains, thank you. After I noticed lots of probes on port 111, I put an email alert on rpc.mountd rejects in hosts.deny. I got alerted all right, and it coincided with this port 768 scan. I was already wondering why the rpc probe (which I assumed to be targeted at 111) wasn't reject-logged by the firewall, whereas the 768 probe was. As it turns out to be, they're the same: an rpc probe on port 768. Obviously /etc/services is not the comprehensive port/service mapping I thought it to be. Is there another way to quickly create a comprehensive listing of which services are listening on which ports? :*CU# -- *** Guido A.J. Stevens *** mailto:gyst () nfg nl *** *** Net Facilities Group *** tel:+31.43.3618933 *** *** http://www.nfg.nl *** fax:+31.43.3560502 *** It is not true that the government has not moved to regulate the internet. The last few years has seen an extraordinary expansion of intellectual property rights [...] that is producing an extraordinary power to own and hence control ideas. [Lessig, http://cyber.law.harvard.edu/events/lessigkeynote.pdf ]
Current thread:
- Re: port 768 Guido A.J. Stevens (Jan 28)
- Re: port 768 Richard Johnson (Jan 28)
- Re: port 768 Dave Dittrich (Jan 28)
- Re: port 768 Robert Graham (Jan 28)
- First china, now russia? Joseph Geyer (Jan 30)
- Re: port 768 Eric Preston (Jan 30)
- <Possible follow-ups>
- Re: port 768 Guido A.J. Stevens (Jan 28)