Re: port 768

[gyst () NFG NL (Guido A.J. Stevens)]

"Robert Graham" <bugtraq () networkice com> writes:

> Therefor, I'm guessing that the 768 is a rpc.mountd port common to the
> particular distro the hacker has an exploit for. I'm not sure how you
> identified the initial rpc.mountd (635 was common in RedHat 5.0 for mountd,
> or it may have been from an rpcbind getport on port 111).

That explains, thank you. After I noticed lots of probes on port 111,
I put an email alert on rpc.mountd rejects in hosts.deny. I got
alerted all right, and it coincided with this port 768 scan. I was
already wondering why the rpc probe (which I assumed to be targeted at
111) wasn't reject-logged by the firewall, whereas the 768 probe
was. As it turns out to be, they're the same: an rpc probe on port
768.

Obviously /etc/services is not the comprehensive port/service mapping
I thought it to be. Is there another way to quickly create a
comprehensive listing of which services are listening on which ports?

:*CU#

--
***    Guido A.J. Stevens      ***    mailto:gyst () nfg nl    ***
***    Net Facilities Group    ***    tel:+31.43.3618933    ***
***    http://www.nfg.nl       ***    fax:+31.43.3560502    ***

It is not true that the government has not moved to regulate the
internet. The last few years has seen an extraordinary expansion
of intellectual property rights [...] that is producing an
extraordinary power to own and hence control ideas.
[Lessig, http://cyber.law.harvard.edu/events/lessigkeynote.pdf ]