Re: TCP Port 9704 Scans

[Fredrik Ostergren <fredrik.ostergren () FREEBOX COM>]

Hi!
I believe it's a simple bindshell from some statd worm 
which listens on port 9704. A 
simple 'cat /etc/inetd.conf | grep 9704' would see if 
you are hacked. Thank you!

/ Fredrik O.

> Hello all,
>
> I gathered much of the following information from a 
number of users on the
> Snort mailing list (www.snort.org).
>
> We came to realize that there have been massive 
port scans from a number of
> IPs (one user reported over 30,000 connects to his 
network) attempting to
> connect to port 9704. This seems to be am attempt 
to locate backdoors
> installed via the recent rpc.statd exploit
> (http://www.cert.org/advisories/CA-2000-17.html), 
which by default adds a
> root shell to this port.
>
>
> Here is a paste of packet info from Snort:
>
> [**] SCAN-SYN FIN [**]
> 10/23-04:54:46.999137 216.78.161.105:9704-> 
my.ho.me.ip:9704
> TCP TTL:24 TOS:0x0 ID:39426
> ******SF Seq: 0x41B2FB01 Ack: 0x6173C91 Win: 
0x404
> There are also many incidents of this reported at
> http://www.sans.org/giac.htm
>
>
> DmuZ
> ----------------------------------------------------------------
> perl -e '$_=q/bill@micro$oft.com/; \
> s/bill/dmuz/;s/micro/angry/; \
> s/\$oft/packet/;print $_."\n"'
> ----------------------------------------------------------------