Handler on Duty: Guy Bruneau
                    
                    Threat Level: green
                Thinking...
    | 
 | 
 | |||||||||||||||||||||||||||||||||||||
| URL | 
|---|
| Port 20000TCP Activity | 
| [Guest Diary] Malware Source Servers: The Threat of Attackers Using Ephemeral Ports as Service Ports to Upload Data | 
| Submitted By | Date | 
|---|---|
| Comment | |
| sinysee | 2007-05-08 13:43:27 | 
| An article in Red Hat magazine (issue 10, August 05) suggests to bind nfs ports to port numbers 10000-10005. Port 10000 will be nfslockmgr then. | |
| 2007-02-12 12:19:43 | |
| This is the kiddies looking for hosts running Webmin on Usermin. There is a vuln from June 30 2006 (BID 18744; CVE-2006-3392) which allows an attacker to request an arbitrary file from the remote host without authenticating to webmin. The mass auto-rooters that I've captured for this vuln request /etc/shadow, and then send the file via email to a yahoo account by default. There was also a Metasploit module published recently for the vuln. There is also a format string bug and integar overflow in Webmin, but there are no public sploits for them (CANVAS has one). Versions of Webmin older than 1.290 are effected by BID 18744, as well as versions of Usermin older than 1.220. If you're running Webmin or Usermin, take a look at your miniserv.log (/var/log/webmin/miniserv.log). You should see a great deal of requests for /etc/shadow. Usermin also runs on port 20000. Look for a directory called w, and/or a file called pscan2. Both these were used in the auto-rooters I was able to capture. | |
| Dave Larter | 2007-02-12 12:19:32 | 
| This port is also used by Sage MAS90/200 accounting software | |
| Dave Larter | 2007-02-12 12:17:29 | 
| This port is also used by Sage MAS90/200 accounting software | |
| 2007-02-12 12:16:09 | |
| This is the kiddies looking for hosts running Webmin on Usermin. There is a vuln from June 30 2006 (BID 18744; CVE-2006-3392) which allows an attacker to request an arbitrary file from the remote host without authenticating to webmin. The mass auto-rooters that I've captured for this vuln request /etc/shadow, and then send the file via email to a yahoo account by default. There was also a Metasploit module published recently for the vuln. There is also a format string bug and integar overflow in Webmin, but there are no public sploits for them (CANVAS has one). Versions of Webmin older than 1.290 are effected by BID 18744, as well as versions of Usermin older than 1.220. If you're running Webmin or Usermin, take a look at your miniserv.log (/var/log/webmin/miniserv.log). You should see a great deal of requests for /etc/shadow. Usermin also runs on port 20000. Look for a directory called w, and/or a file called pscan2. Both these were used in the auto-rooters I was able to capture. | |
| Thom del la Franssen and Marco del Semmlero | 2006-01-12 23:48:29 | 
| Used by CISCO VPN-Client (TCP and UDP) -- IPSec over TCP or over UDP. | |
| Melvin | 2005-12-20 05:47:47 | 
| There is a format-string vulnerability in the PERL code for WEBMIN, that can be exploited without needing authentication to WEBMIN. Reference: http://www.dyadsecurity.com/webmin-0001.html | |
| Nico Baggus | 2005-11-08 20:48:28 | 
| Port 10000 is also used by webmin | |
| Tracy Bost | 2005-07-06 15:32:41 | 
| Port 10000 is the default port used by the Zabbix agent. | |
| Tracy Bost | 2005-07-06 15:32:00 | 
| Port 10000 is the default port used by the Zabbix agent. | |
| Joel Esler | 2005-06-28 20:40:47 | 
| On 24th of June 2005, the metasploit plugin for the Veritas Backup Exploit was released. Since then Scanning for port 10000 has been astronomically high. | |
| 2005-04-06 10:36:45 | |
| Wird verwendet für den Verbindungsaufbau zwischen dem Medienserver und den (Windows-)RemoteAgent von Veritas Backup-Exec | |
| Jean-Pierre Denis | 2003-02-14 09:51:50 | 
| port 10000 is also the default port use by Webmin a web-based interface for system administration of Unix and linux. | |
| CVE # | Description | 
|---|
 
              