Security Incidents mailing list archives
Re: udp bindshell exploit? -- yes
From: Stephen Bannasch <stephen () CONCORD ORG>
Date: Mon, 26 Mar 2001 15:16:12 -0500
To follow up on my previous email. Yes there is a udp based bindshell exploit [see below] though I don't think it is on my system, rpc.mountd was attached to 1008/udp. ------possibly helpful background info------------ I used chkrootkit on http://www.chkrootkit.org/ for checking for the existence of a rootkit, everything came up fine except for: Checking `bindshell'... INFECTED (PORTS: 1008) The program uses the following command for establishing the vulnerability: netstat -an Here's what I got running by hand: Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State [...] udp 0 0 0.0.0.0:1008 0.0.0.0:* All the program really does is check to see if anything is bound to port 1008. Bindshell is a very simple program that binds a shell to a a tcp port. Here's the cannonical bindshell.c source: http://packetstorm.securify.com/advisories/suid/bindshell.c However on my server this port is open to udp not to tcp. A little more searching showed that there is a version of bindshell that also works with just udp connections: http://packetstorm.securify.com/UNIX/misc/udpshell_v1-0.tgz So now I need to find out what is actually running on port 1008 and how to delete it if it is not kosher. Running netstat -apn shows that rpc.mountd is bound to port 1008 [a=all, p=show program bound to socket, n=numeric IP addresses]. udp 0 0 0.0.0.0:1008 0.0.0.0:* 3366/rpc.mountd rpc.mountd is one of the NFS services so I shutdown these services and checked again and the questionable port was closed. -- Stephen Bannasch Director of Technology, Concord Consortium http://www.concord.org mailto:stephen () concord org
Current thread:
- Re: udp bindshell exploit? -- yes Stephen Bannasch (Mar 26)