Security Incidents mailing list archives
TCP Port 9704 Scans
From: DmuZ <DmuZ () angrypacket com>
Date: Thu, 26 Oct 2000 14:12:08 -0700
Hello all, I gathered much of the following information from a number of users on the Snort mailing list (www.snort.org). We came to realize that there have been massive port scans from a number of IPs (one user reported over 30,000 connects to his network) attempting to connect to port 9704. This seems to be am attempt to locate backdoors installed via the recent rpc.statd exploit (http://www.cert.org/advisories/CA-2000-17.html), which by default adds a root shell to this port. Here is a paste of packet info from Snort: [**] SCAN-SYN FIN [**] 10/23-04:54:46.999137 216.78.161.105:9704-> my.ho.me.ip:9704 TCP TTL:24 TOS:0x0 ID:39426 ******SF Seq: 0x41B2FB01 Ack: 0x6173C91 Win: 0x404 There are also many incidents of this reported at http://www.sans.org/giac.htm DmuZ ---------------------------------------------------------------- perl -e '$_=q/bill@micro$oft.com/; \ s/bill/dmuz/;s/micro/angry/; \ s/\$oft/packet/;print $_."\n"' ----------------------------------------------------------------
Current thread:
- TCP Port 9704 Scans DmuZ (Oct 28)
- <Possible follow-ups>
- Re: TCP Port 9704 Scans Fredrik Ostergren (Oct 31)