Port 1524

Vulnerability Description

Brief description: When an attacker has compromised a system, she will often install a backdoor that surreptitiously listens on a port, and allows the attacker to regain access to the system at a later time.

Full description: A backdoor is a program that is not obviously in place, but allows an attacker to obtained unauthorized privileges. Often, when an attacker has successed in compromising a system, a backdoor will be installed that listens on the network so that the attacker may regain remote access at a later time. The attacker will sometimes patch the hole that originally allowed access, and the attacker would then like to be able to return without having to alter existing system accounts or passwords. The backdoor allows this. Port 1524 is commonly used for such a backdoor.

Components: TCP/IP stack

Systems: Any that support network connectivity.

Effect(s) of exploiting: The effect depends on the nature of the server being run.

Detecting the hole:

1. Without a login on the suspect system, connect to port 1524 using TCP and/or UDP. If it responds, the port is active.
2. With a login, look on the system to see what process is bound to port 1524.

Fixing the hole:

1. If a server is running and it should not be running, turn it off.
   1. Kill the backdoor process.
   2. Remove the backdoor executable. (The attacker may have modified the system to make both of these difficult.)

Other information:

Keywords

backdoor network

Cataloguing

CVE Number: ##### --

Exploit Information

Attack:

Related Information

Advisories:

Related Vulnerabilities:

Reportage

Reporting: in ( )

Revision Number 1

1. Eric Haugh (7/6/2000):