[Snort-users] Strange happenings over NVP




Greetings all,

I've got an interesting one...

Does anyone out there know of any nefarious uses of NVP (network voice protocol, RFC 741, proto no 11) ???

Just so happens I have come across a Redhat 6.2 box that, when doing a netstat -alp, showed

Proto Recv-Q Send-Q Local Address           Foreign Address         State
....      
raw        0      0 *:11                    *:*                     7

Interestingly the PID corresponded to mingetty...

This machine had been compromised and also had a rootshell running out of inetd...

Any ideas anyone????

Best Regards
Ryan Oliver

questions/problems with archive to: webmaster@mcabee.org
Mail converted by MHonArc 2.4.7