ok, i'm stupid :) search on securityfocus gives even CERT alert about that
compromise - something from rpc area.
http://www.securityfocus.com/templates/archive.pike?list=1&mid=77042
http://www.securityfocus.com/templates/advisory.html?id=2540
etc.
One more comment - how very lazy those scriptkids are nowadays :) they do
not want to compromize the system by themselves, but just scanning if
somebody else has done it before...
regards,
Vitaly.
----- Original Message -----
From: "Vitaly Osipov" <vos_at_gate.int1.telenor.cz>
To: <INCIDENTS_at_SECURITYFOCUS.COM>
Sent: Friday, September 08, 2000 2:26 PM
Subject: port 9704 scans
> Hi all,
>
> I am just curious, what was that guy scanning for - i have packets like
one
> below directed to all hosts in my net...
>
> 09/08-10:55:57.081848 0:90:F2:55:F0:0 -> 0:60:8:CE:FC:C1 type:0x800
len:0x3C
> 24.141.204.108:9704 -> xxx.xx.xx.xx:9704 TCP TTL:23 TOS:0x0 ID:39426
> **SF**** Seq: 0x1FFE9308 Ack: 0x62D853AD Win: 0x404
>
>
> they are syn-fin packets with source and destination ports 9704. I have
not
> found any references to any trojans using this port.
>
> regards,
> Vitaly.
Received on Sep 08 2000
Intro
