[lug] outgoing port 220 exploit?
Kevin Fenzi
kevin at scrye.com
Tue Jan 20 12:47:45 MST 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>>>>> "D" == D Stimits <stimits at comcast.net> writes:
D> David Anselmi wrote:
>> Every 5 seconds:
>>
>> lsof -i4tcp:220
>>
>> Dave
D> I've tried lsof and netstat with -c, none show it. A failed connect
D> takes all of about 50 milliseconds, so I'd have to hit it in that
D> time. Anything taking a "snapshot", and not reading 100% of
D> anything using the port 6129, or attempting outgoing 220, will
D> fail. Due to firewall rules, even tcpdump will not work, as blocked
D> packets do not get recorded.
What do your incoming rules say about port 6129?
I suspect this is someone scanning for a windows 'DameWare' server
thats vulnerable to attack:
http://archives.neohapsis.com/archives/incidents/2002-08/0097.html
The packet comes in to port 6129 on your machines, and they have setup
their incoming packet so the reply goes back to port 220 on the
sending machine (in this case it should be a connection refused,
unless you are running DameWare).
You are using ipchains, which is not a statefull packet filter, so you
are likely allowing all non privleged ports in, ie, 1024:65535...
so they would be able to get a 6129 packet in?
Does:
fuser -n tcp 6129
show anything on your machines?
D> D. Stimits, stimits AT comcast DOT net
kevin
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: Processed by Mailcrypt 3.5.8 <http://mailcrypt.sourceforge.net/>
iD8DBQFADYXj3imCezTjY0ERAhVwAJ9i3X27rosIk0TsOK4xwmvaa5a3OwCfUMLY
pl6HRL2am4J2hpG/Fb14xyU=
=Nb12
-----END PGP SIGNATURE-----
More information about the LUG
mailing list