Re: afs3 exploit??

[seb () SC ESF EDU HK (Sebastian Ip)]

7007 is used by windows media player encoder. Such site as
http://www.radiorepublic.com uses such encoders.
Just two cents.

On Thu, 1 Jun 2000, Charles Clancy wrote:

> On Wed, 31 May 2000, Cold Fire wrote:
> > On Thu, May 25, 2000 at 01:30:07PM -0500, elijah wright wrote:
> > > dear bugtraq,
> > >
> > > is there a new afs3 exploit making the rounds?  i keep getting connections
> > > to port 7007, afs3-bos (basic overseer process) even though i've never
> > > touched afs3 in my life.  :)  ideas??  obviously, the connections are
> > > coming from hosts that are foreign to me and look fairly suspicious. :)
> >
> > I saw this recently, don't know if its connected but I'd assume that
> > its a trjoan rather than AFS as its running on a dialin user's windows
> > 98 box, I may be wrong on this because I have no knowledge of windows
> > boxes and the only AFS machives I've seen have been unix servers running
> > Andrews File System. This may be a legitimate service in windows 98,
> > I've not been interested enough to investigate further.
>
> AFS doesn't have to run on UNIX.  Transarc (the people who currently
> license the AFS client/server products) make a Windows NT client.  There
> are 3rd-party clients available as well, including "arla", the most
> popular and fully featured.  It is conceivable that someone could have
> compiled arla on a win98 machine.  I've seen it implemented as an FTP-like
> interface, rather than actually mounting the remote AFS file system.
>
> Also, you might check to see if your IP is listed in an ancient
> CellServDB.  This is a file which the AFS client uses to determine the IPs
> of AFS servers for different AFS cells.  Most people don't get the updated
> CellServDB from Transarc when setting up AFS clients.
>
> _____________________________________________________
>   -- Charles Clancy -- mgrtcc () cs rose-hulman edu --
>       System Administrator, News Administrator
> Computer Science, Rose-Hulman Institute of Technology