Port 524: compromised machine with ndsd

[Jens Hektor <hektor () RZ RWTH-AACHEN DE>]

Hi,

I have just discovered a compromised machine
(Redhat 6.2) with port 524 open, running on
that service "ndsd - Novell Directory Service
(NDS) daemon".

The machine was scanning our site for port
telnet and is itself rootshelled on some other
port.

Admins have been notified.

So maybe there is a vulnerability in ndsd, I think
I must have missed something in the last
security announcements. But could be the standard
wu-ftpd or rpc.statd compromise also.

Bye, Jens Hektor