Security Incidents mailing list archives
Re: Port 7070?
From: bugtraq () NETWORKICE COM (Robert Graham)
Date: Fri, 23 Jun 2000 11:40:33 -0700
RealAudio and Quicktime video servers run on this port. Maybe there is a url like pnm://whyllie/foo.rm on somebody's website pointing to your machine. Maybe people are scanning for such video servers in search of free porn. There is also a bug in some version of the RealAudio server that can be crashed; maybe people are just scanning the net trying to crash the server. Maybe there is a new exploit for such servers. -----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () securityfocus com]On Behalf Of PARKIN, MICHAEL (PBI) Sent: Thursday, June 22, 2000 10:27 AM To: INCIDENTS () securityfocus com Subject: Port 7070? Morning, folks, Recently I've seen a series of connection attempts to one of my boxen. I run a household LAN connected via cablemodem, and all but one of the machines runs Linux in a relatively secure mode. I have ipchains pipe suspicious output to syslog and I monitor it frequently. While I'm used to seeing the subnet get scanned for 27374 (Sub7) and 12345 (NetBus) and the ubiquitous 137 (NetBIOS) these connections to 7070 are recent. I've considered the possibility that someone's just running a mis-configured IRC client (there is an IRC server on this particular box, listening on the usual ports, and 8500 for server connections) but I've seen these connections from several different locations, and they all started within the last week or so. I've included one sample below. Is anyone aware of a trojan living on this port? The box hasn't been compromised, and I strongly suspect the connections are coming from Windows boxes, but haven't counterscanned to find out. Notably, none of the connections correspond to a legitimate user on the IRC network this box is connected to. Thanks, Mike messages:Jun 22 05:36:56 whyllie kernel: Packet log: input - eth0 PROTO=6 213.243.3.68:1514 24.142.170.81:7070 L=48 S=0x00 I=9778 F=0x4000 T=111 SYN (#19) messages:Jun 22 05:36:59 whyllie kernel: Packet log: input - eth0 PROTO=6 213.243.3.68:1514 24.142.170.81:7070 L=48 S=0x00 I=10034 F=0x4000 T=111 SYN (#19) messages:Jun 22 05:37:05 whyllie kernel: Packet log: input - eth0 PROTO=6 213.243.3.68:1514 24.142.170.81:7070 L=48 S=0x00 I=10546 F=0x4000 T=111 SYN (#19) Mike Parkin Network Reliability Center SBC Internet Services 415.442.5108
Current thread:
- Re: Probes for MySQL under Linux?, (continued)
- Re: Probes for MySQL under Linux? Al Huger - Mail Account (Jun 28)
- Was I exploited? Narins, Joshua (Jun 29)
- Re: Was I exploited? Russ Spooner (Jun 29)
- Re: Nike Site taken over Ballard, James (Jun 27)
- port 1433? Sir Scriptzalot (Jun 25)
- Re: port 1433? Jason Witty (Jun 27)
- Port 1433 Edwin Concepcion (Jun 26)
- Re: Nike Site taken over x-empt (Jun 23)
- Re: Port 7070? Ryan Russell (Jun 22)
- Re: Port 7070? Robert Graham (Jun 23)