[unisog] Echo and Chargen
jives at cchem.berkeley.edu
Tue Jan 21 23:10:59 GMT 2003
Last March I found a computer that had been compromised and was running an
xdcc IRC bot on port 7. The bot had the name of a legitimate Windows file
(ie w32time.exe). When I ran strings on the file there was a string to the
effect of 'code by assassin.' Which had I not already seen what the file
was doing, would have been a major tip-off that it was compromised, instead
it was more like the icing on the cake.
I can tell you that in that particular case the box was compromised because
it lacked an admin password.
At 11:48 AM 1/21/2003 -0800, you wrote:
>Mary M. Chaddock writes:
> > I've noticed a slew of computers with ports 7 and 19 open. This
> appears to
> > be a recent development. I've also seen network traffic on these ports.
> > Does anyone know what is going on?
>Well, according to /etc/services:
>chargen 19/tcp ttytst
>chargen 19/udp ttytst
>These ports are frequently left open in the default inetd.conf in many
>operating systems, although it's been recommended to disable these for a
>long time now. In particular the offering of the UDP versions of the
>services makes it easy to forge UDP packets to use systems that provide
>these services as reflectors for DoS attacks.
John Ives, GCWN
College of Chemistry
"If you spend more on coffee than on IT security, Then you will be hacked.
What's more, you deserve to be hacked." - Richard Clarke special adviser
to the president on cybersecurity
Any opinions expressed are my own and not those of the Regents of the
University of California.
More information about the unisog