Re: port 9704 scans

["Matthew F. Caldwell" <mattc () GUARDED NET>]

There has been a number of mass exploit scanners, that when a system is exploited create a configuration file for 
inetd. Then the exploit proceeds to execute a new intance of inetd with the bad config file. The configuration then 
opens a port on for instance 9704 (korean) that has a shell piped to it. I've also seen scans coming in on 5000 and 
9088 after a rpc statd scan.

To test your system, telnet to the localport ex:

telnet localhost 9704

then type once connected.

/bin/sh -i;

Vitaly Osipov <vos () TELENOR CZ> wrote:

> Hi all,
>
> I am just curious, what was that guy scanning for - i have packets like one
> below directed to all hosts in my net...
>
> 09/08-10:55:57.081848 0:90:F2:55:F0:0 -> 0:60:8:CE:FC:C1 type:0x800 len:0x3C
> 24.141.204.108:9704 -> xxx.xx.xx.xx:9704 TCP TTL:23 TOS:0x0 ID:39426
> **SF**** Seq: 0x1FFE9308 Ack: 0x62D853AD Win: 0x404
>
>
> they are syn-fin packets with source and destination ports 9704. I have not
> found any references to any trojans using this port.
>
> regards,
> Vitaly.

Matthew F. Caldwell, CISSP
mattc () guarded net