Security Incidents mailing list archives
Re: Port 9704
From: Jose Nazario <jose () BIOCSERVER BIOC CWRU EDU>
Date: Wed, 11 Oct 2000 18:23:18 -0400
On Tue, 10 Oct 2000, Derek K. wrote:
I never thought I'd do this...
no one ever does.
I'm seeing a lot of traffic from 2 mailservers - it's going out on port 9704 and going in on another box's 9704. I'm suspicious, and don't find any references to it around. The 9704->9704 makes me wonder if it isn't a hack of some kind.
9704<->9704 is a new one to me, but ... not inconceivable. port 9704/TCP is a common port to bind to a root owned shell in inetd (or a second inetd instance). see the exploit described here: http://www.cert.org/advisories/CA-2000-17.html i hope this helps. i have seen a few 9704/TCP sweeps lately, which i attributed to this. jose nazario jose () biochemistry cwru edu PGP fingerprint: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc
Current thread:
- Port 9704 Derek K. (Oct 11)
- Re: Port 9704 Harry Behrens (Oct 12)
- Re: Port 9704 Graeme Fowler (Oct 12)
- Re: Port 9704 Jose Nazario (Oct 12)