[lug] outgoing port 220 exploit?
David Anselmi
anselmi at anselmi.us
Tue Jan 20 14:57:26 MST 2004
D. Stimits wrote:
[...]
> Going to work with nmap also, but I think the 3 separate major versions
> of KRUD doing same thing at staggered intervals is a relay. 6129 is the
> local port during outgoing packets, not incoming. The destination port
> is tcp 220. I have been unable to find anything creating this as a local
> process but am working on it still.
Your terminology is a little fuzzy. 6129 is the local port, 220 the
remote, from your perspective.
6129 is the source port for outbound packets and the destination port
for inbound packets (that Kevin has hypothesized). 220 is the
destination port for outbound packets and the source port for (Kevin's
hypothetical) inbound packets. ipchains makes this distinction in its
rules.
I assume you're using nmap from another box. You should use tcpdump
from another box too, to see if any inbound traffic to the affected box
is suspicious, uninfluenced by ipchains or malicious code.
Dave
More information about the LUG
mailing list