Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

TCP Port 9704 Scans

From: DmuZ <DmuZ () angrypacket com>
Date: Thu, 26 Oct 2000 14:12:08 -0700
Hello all,

I gathered much of the following information from a number of users on the
Snort mailing list (www.snort.org).

We came to realize that there have been massive port scans from a number of
IPs (one user reported over 30,000 connects to his network) attempting to
connect to port 9704. This seems to be am attempt to locate backdoors
installed via the recent rpc.statd exploit
(http://www.cert.org/advisories/CA-2000-17.html), which by default adds a
root shell to this port.


Here is a paste of packet info from Snort:

[**] SCAN-SYN FIN [**]
10/23-04:54:46.999137 216.78.161.105:9704-> my.ho.me.ip:9704
TCP TTL:24 TOS:0x0 ID:39426
******SF Seq: 0x41B2FB01 Ack: 0x6173C91 Win: 0x404

There are also many incidents of this reported at
http://www.sans.org/giac.htm


DmuZ
----------------------------------------------------------------
perl -e '$_=q/bill@micro$oft.com/; \
s/bill/dmuz/;s/micro/angry/; \
s/\$oft/packet/;print $_."\n"'
----------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: