nanog mailing list archives

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks

From: Christopher Morrow <morrowc.lists () gmail com>
Date: Thu, 1 Mar 2018 17:50:45 -0500

pre install of memcache on a (debianXXX)
Abort.
morrowc@build:~$ netstat -anA inet | grep LIST
tcp        0      0 192.110.255.61:53       0.0.0.0:*               LISTEN

tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN

tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN

tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN

tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN

tcp        0      0 127.0.0.1:5433          0.0.0.0:*               LISTEN



run:
apt-get install memcached

now:
morrowc@build:~$ netstat -anA inet | grep LIST
tcp        0      0 192.110.255.61:53       0.0.0.0:*               LISTEN

tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN

tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN

tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN

tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN

tcp        0      0 127.0.0.1:5433          0.0.0.0:*               LISTEN

tcp        0      0 127.0.0.1:11211         0.0.0.0:*               LISTEN



fargh.

On Thu, Mar 1, 2018 at 5:38 PM, Randy Bush <randy () psg com> wrote:

this is sort of why openbsd listens only on 127.0.0.1/::1 by default,
right? it's the only sane choice for 'fresh out of the box' network
daemons: "Yes, it's running, yes I can healthcheck it locally to prove
it's running"


amidst all the hysterical pontification, i am having trouble finding any
release which has, by default, a port 11211 listener on any interface.

randy

Current thread:

Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Eric Kuhnke (Mar 01)
- Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Owen DeLong (Mar 01)
  - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Christopher Morrow (Mar 01)
    - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Randy Bush (Mar 01)
    - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Christopher Morrow (Mar 01)
    - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Christopher Morrow (Mar 01)
    - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Mike Hammett (Mar 01)
    - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Randy Bush (Mar 01)
    - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Jippen (Mar 01)
    - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Randy Bush (Mar 01)
    - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Royce Williams (Mar 01)
    - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Stephen Satchell (Mar 02)
  - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Bjørn Mork (Mar 02)
    - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks Mark Andrews (Mar 02)
    - Re: New Active Exploit: memcached on port 11211 UDP & TCP being exploited for reflection attacks K. Scott Helms (Mar 02)

(Thread continues...)