Security Incidents mailing list archives
Re: afs3 exploit??
From: seb () SC ESF EDU HK (Sebastian Ip)
Date: Fri, 2 Jun 2000 18:15:58 +0800
7007 is used by windows media player encoder. Such site as http://www.radiorepublic.com uses such encoders. Just two cents. On Thu, 1 Jun 2000, Charles Clancy wrote:
On Wed, 31 May 2000, Cold Fire wrote:On Thu, May 25, 2000 at 01:30:07PM -0500, elijah wright wrote:dear bugtraq, is there a new afs3 exploit making the rounds? i keep getting connections to port 7007, afs3-bos (basic overseer process) even though i've never touched afs3 in my life. :) ideas?? obviously, the connections are coming from hosts that are foreign to me and look fairly suspicious. :)I saw this recently, don't know if its connected but I'd assume that its a trjoan rather than AFS as its running on a dialin user's windows 98 box, I may be wrong on this because I have no knowledge of windows boxes and the only AFS machives I've seen have been unix servers running Andrews File System. This may be a legitimate service in windows 98, I've not been interested enough to investigate further.AFS doesn't have to run on UNIX. Transarc (the people who currently license the AFS client/server products) make a Windows NT client. There are 3rd-party clients available as well, including "arla", the most popular and fully featured. It is conceivable that someone could have compiled arla on a win98 machine. I've seen it implemented as an FTP-like interface, rather than actually mounting the remote AFS file system. Also, you might check to see if your IP is listed in an ancient CellServDB. This is a file which the AFS client uses to determine the IPs of AFS servers for different AFS cells. Most people don't get the updated CellServDB from Transarc when setting up AFS clients. _____________________________________________________ -- Charles Clancy -- mgrtcc () cs rose-hulman edu -- System Administrator, News Administrator Computer Science, Rose-Hulman Institute of Technology
Current thread:
- Re: afs3 exploit?? Cold Fire (May 30)
- Re: afs3 exploit?? Charles Clancy (Jun 01)
- Re: afs3 exploit?? Sebastian Ip (Jun 02)
- TCP Scans to port 21656 Federico Grau (Jun 02)
- Re: afs3 exploit?? Charles Clancy (Jun 01)