[unisog] Echo and Chargen

John Ives jives at cchem.berkeley.edu
Tue Jan 21 23:10:59 GMT 2003


Last March I found a computer that had been compromised and was running an 
xdcc IRC bot on port 7.  The bot had the name of a legitimate Windows file 
(ie w32time.exe).  When I ran strings on the file there was a string to the 
effect of 'code by assassin.'  Which had I not already seen what the file 
was doing, would have been a major tip-off that it was compromised, instead 
it was more like the icing on the cake.

I can tell you that in that particular case the box was compromised because 
it lacked an admin password.

John

At 11:48 AM 1/21/2003 -0800, you wrote:
>Mary M. Chaddock writes:
>  > I've noticed a slew of computers with ports 7 and 19 open. This 
> appears to
>  > be a recent development.  I've also seen network traffic on these ports.
>  > Does anyone know what is going on?
>
>Well, according to /etc/services:
>
>echo            7/tcp
>echo            7/udp
>chargen         19/tcp          ttytst
>chargen         19/udp          ttytst
>
>These ports are frequently left open in the default inetd.conf in many
>operating systems, although it's been recommended to disable these for a
>long time now.  In particular the offering of the UDP versions of the
>services makes it easy to forge UDP packets to use systems that provide
>these services as reflectors for DoS attacks.

-------------------------------------------------
John Ives, GCWN
Systems Administrator
College of Chemistry
(510) 643-1033

"If you spend more on coffee than on IT security,  Then you will be hacked. 
What's more,  you deserve to be hacked."   - Richard Clarke special adviser 
to the president on cybersecurity

Any opinions expressed are my own and not those of the Regents of the 
University of California. 



More information about the unisog mailing list