Security Incidents mailing list archives
Re: Port 9088
From: Christopher Tresco <ctresco () MIT EDU>
Date: Wed, 4 Oct 2000 21:18:03 -0400
It has been my experience that when nmap says filtered it isn't blocked w/ ipchains. Usually that would mean the router filters that port. -----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On Behalf Of Todd Meister Sent: Wednesday, October 04, 2000 5:19 PM To: INCIDENTS () SECURITYFOCUS COM Subject: Port 9088 A couple threads on this list have mentioned port 9088 as either the default port for an exploit (rpc.statd), or just a generally preferred port for rootshells. I know that many of the residential DSL customers on my network use Linux, and many of them have default installs that have never been updated, so I did some portscanning (nmap -sT -p 9088 <network>/<mask>). I found more hosts than I'd expected reporting something like: Interesting ports on hax0red.whoopsie.com (10.0.0.3): Port State Protocol Service 9088 filtered tcp unknown All of them are filtered. I see two possibilities -- the cracker in question is using ipchains or something similar to secure the rootshell against other barbarian hordlings, or perhaps there is some service that actually runs at 9088. So my question is, is there some software or other that listens on this port, or is there a pretty good chance that every IP reporting an open port 9088 has been compromised? Is there a way of testing, even though nmap reports the port as filtered? Thanks for any help, Todd
Current thread:
- Port 9088 Todd Meister (Oct 04)
- Re: Port 9088 George Bakos (Oct 04)
- Re: Port 9088 Todd Meister (Oct 05)
- Re: Port 9088 Erik Tayler (Oct 06)
- Re: Port 9088 Todd Meister (Oct 05)
- Re: Port 9088 Christopher Tresco (Oct 04)
- Re: Port 9088 Todd Meister (Oct 04)
- <Possible follow-ups>
- Re: Port 9088 Peter Foreman (Oct 06)
- Re: Port 9088 George Bakos (Oct 04)