Re: udp bindshell exploit? -- yes

[Stephen Bannasch <stephen () CONCORD ORG>]

To follow up on my previous email.  Yes there is a udp based bindshell exploit [see below] though I don't think it is 
on my system, rpc.mountd was attached to 1008/udp.

------possibly helpful background info------------

I used chkrootkit on http://www.chkrootkit.org/ for checking for the existence of a rootkit, everything came up fine 
except for:

    Checking `bindshell'... INFECTED (PORTS:  1008)

The program uses the following command for establishing the vulnerability:

  netstat -an

Here's what I got running by hand:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
[...]
udp        0      0 0.0.0.0:1008            0.0.0.0:*

All the program really does is check to see if anything is bound to port 1008.

Bindshell is a very simple program that binds a shell to a a tcp port. Here's the cannonical bindshell.c source:

  http://packetstorm.securify.com/advisories/suid/bindshell.c

However on my server this port is open to udp not to tcp.  A little more searching showed that there is a version of 
bindshell that also works with just udp connections:

  http://packetstorm.securify.com/UNIX/misc/udpshell_v1-0.tgz

So now I need to find out what is actually running on port 1008 and how to delete it if it is not kosher.

Running netstat -apn shows that rpc.mountd is bound to port 1008 [a=all, p=show program bound to socket, n=numeric IP 
addresses].

udp        0      0 0.0.0.0:1008            0.0.0.0:*                           3366/rpc.mountd

rpc.mountd is one of the NFS services so I shutdown these services and checked again and the questionable port was 
closed.

-- Stephen Bannasch
   Director of Technology, Concord Consortium
   http://www.concord.org  mailto:stephen () concord org