Security Incidents mailing list archives
Re: Port 9088
From: George Bakos <alpinista () BIGFOOT COM>
Date: Wed, 4 Oct 2000 23:15:28 -0400
As it is obvious from your activity that you are 100% authorized to perform these scans, I recommend that you also scan for other adjacent ports in the same address range and see if you get any more "filtered" results. Nmap is not a very intuitive tool. It interprets packets returning to the scanning host according to some very simple rules. No reply, or an ICMP type 3 will result in the "filtered" reporting. That does not mean anything is really there. My guess is that these boxes' ipchains rulesets are actually holding very nicely, or the machines don't even exist. You did a plain-vanilla scan including the initial ping, right? On Wed, 04 Oct 2000, you wrote:
A couple threads on this list have mentioned port 9088 as either the default port for an exploit (rpc.statd), or just a generally preferred port for rootshells. I know that many of the residential DSL customers on my network use Linux, and many of them have default installs that have never been updated, so I did some portscanning (nmap -sT -p 9088 <network>/<mask>). I found more hosts than I'd expected reporting something like: Interesting ports on hax0red.whoopsie.com (10.0.0.3): Port State Protocol Service 9088 filtered tcp unknown All of them are filtered. I see two possibilities -- the cracker in question is using ipchains or something similar to secure the rootshell against other barbarian hordlings, or perhaps there is some service that actually runs at 9088. So my question is, is there some software or other that listens on this port, or is there a pretty good chance that every IP reporting an open port 9088 has been compromised? Is there a way of testing, even though nmap reports the port as filtered? Thanks for any help, Todd
Current thread:
- Port 9088 Todd Meister (Oct 04)
- Re: Port 9088 George Bakos (Oct 04)
- Re: Port 9088 Todd Meister (Oct 05)
- Re: Port 9088 Erik Tayler (Oct 06)
- Re: Port 9088 Todd Meister (Oct 05)
- Re: Port 9088 Christopher Tresco (Oct 04)
- Re: Port 9088 Todd Meister (Oct 04)
- <Possible follow-ups>
- Re: Port 9088 Peter Foreman (Oct 06)
- Re: Port 9088 George Bakos (Oct 04)