Re: Port 9704

[Harry Behrens <Harry () BEHRENS COM>]

it's a trojan horse: check /etc/identd.conf

for s.th like

9704..... /bin/sh....

I still haven't figured out which script is behind this, but it's a script
kiddie's toolbox thing:
It hacks aftp daemon (only for Linux as far as I know) and then
- leaves the trojan at 9704
- starts scanning around for similar ftp daemons.

Regards,

        Harry


> -----Original Message-----
> From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On
> Behalf Of Derek K.
> Sent: Wednesday, October 11, 2000 8:07 AM
> To: INCIDENTS () SECURITYFOCUS COM
> Subject: Port 9704
>
>
> I never thought I'd do this...
>
> I'm seeing a lot of traffic from 2 mailservers - it's going out on port
> 9704 and going in on another box's 9704.  I'm suspicious, and don't find
> any references to it around.  The 9704->9704 makes me wonder if it isn't a
> hack of some kind.
>
> Any reponses are appreciated.
>
> Cheers,
> Derek K.