Security Incidents mailing list archives

Re: Port 9704

From: Jose Nazario <jose () BIOCSERVER BIOC CWRU EDU>
Date: Wed, 11 Oct 2000 18:23:18 -0400

On Tue, 10 Oct 2000, Derek K. wrote:

I never thought I'd do this...


no one ever does.

I'm seeing a lot of traffic from 2 mailservers - it's going out on
port 9704 and going in on another box's 9704.  I'm suspicious, and
don't find any references to it around.  The 9704->9704 makes me
wonder if it isn't a hack of some kind.


9704<->9704 is a new one to me, but ... not inconceivable. port 9704/TCP
is a common port to bind to a root owned shell in inetd (or a second inetd
instance). see the exploit described here:

        http://www.cert.org/advisories/CA-2000-17.html

i hope this helps. i have seen a few 9704/TCP sweeps lately, which i
attributed to this.

jose nazario                                    jose () biochemistry cwru edu
PGP fingerprint: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc

Current thread:

Port 9704 Derek K. (Oct 11)
- Re: Port 9704 Harry Behrens (Oct 12)
- Re: Port 9704 Graeme Fowler (Oct 12)
- Re: Port 9704 Jose Nazario (Oct 12)