Security Incidents mailing list archives

Re: Port 7070?

From: bugtraq () NETWORKICE COM (Robert Graham)
Date: Fri, 23 Jun 2000 11:40:33 -0700


RealAudio and Quicktime video servers run on this port. Maybe there is a url
like pnm://whyllie/foo.rm on somebody's website pointing to your machine.

Maybe people are scanning for such video servers in search of free porn.

There is also a bug in some version of the RealAudio server that can be
crashed; maybe people are just scanning the net trying to crash the server.

Maybe there is a new exploit for such servers.

-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () securityfocus com]On
Behalf Of PARKIN, MICHAEL (PBI)
Sent: Thursday, June 22, 2000 10:27 AM
To: INCIDENTS () securityfocus com
Subject: Port 7070?

Morning, folks,

Recently I've seen a series of connection attempts to one of my boxen.  I
run a household LAN connected via cablemodem, and all but one of the
machines runs Linux in a relatively secure mode.  I have ipchains pipe
suspicious output to syslog and I monitor it frequently.  While I'm used to
seeing the subnet get scanned for 27374 (Sub7) and 12345 (NetBus) and the
ubiquitous 137 (NetBIOS) these connections to 7070 are recent.

I've considered the possibility that someone's just running a mis-configured
IRC client (there is an IRC server on this particular box, listening on the
usual ports, and 8500 for server connections) but I've seen these
connections from several different locations, and they all started within
the last week or so.  I've included one sample below.

Is anyone aware of a trojan living on this port?

The  box hasn't been compromised, and I strongly suspect the connections are
coming from Windows boxes, but haven't counterscanned to find out.  Notably,
none of the connections correspond to a legitimate user on the IRC network
this box is connected to.

Thanks,
Mike

messages:Jun 22 05:36:56 whyllie kernel: Packet log: input - eth0 PROTO=6
213.243.3.68:1514 24.142.170.81:7070 L=48 S=0x00 I=9778 F=0x4000 T=111 SYN
(#19)

messages:Jun 22 05:36:59 whyllie kernel: Packet log: input - eth0 PROTO=6
213.243.3.68:1514 24.142.170.81:7070 L=48 S=0x00 I=10034 F=0x4000 T=111 SYN
(#19)

messages:Jun 22 05:37:05 whyllie kernel: Packet log: input - eth0 PROTO=6
213.243.3.68:1514 24.142.170.81:7070 L=48 S=0x00 I=10546 F=0x4000 T=111 SYN
(#19)

Mike Parkin
Network Reliability Center
SBC Internet Services
415.442.5108

Current thread:

Re: Probes for MySQL under Linux?, (continued)
- - - Re: Probes for MySQL under Linux? Al Huger - Mail Account (Jun 28)
    - Was I exploited? Narins, Joshua (Jun 29)
    - Re: Was I exploited? Russ Spooner (Jun 29)
    - Re: Nike Site taken over Ballard, James (Jun 27)
    - port 1433? Sir Scriptzalot (Jun 25)
    - Re: port 1433? Jason Witty (Jun 27)
    - Port 1433 Edwin Concepcion (Jun 26)
  - Re: Nike Site taken over x-empt (Jun 23)
- Port 7070? PARKIN, MICHAEL (PBI) (Jun 22)
  - Re: Port 7070? Ryan Russell (Jun 22)
  - Re: Port 7070? Robert Graham (Jun 23)