Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC Port Details:


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Graph

[show ascii data]
Graph Criteria
  • Start Date:
  • End Date:
  • Port:
  • Left Y Axis:
  • Right Y Axis:

Port Information

Protocol Service Name
tcp BackupExec Veritas Backup Exec
tcp ndmp Network Data Management Protocol
tcp OpwinTRojan [trojan] OpwinTRojan
udp ndmp Network Data Management Protocol
[get complete service list]

User Comment

Submitted By Date
Comment
sinysee 2007-05-08 13:43:27
An article in Red Hat magazine (issue 10, August 05) suggests to bind nfs ports to port numbers 10000-10005. Port 10000 will be nfslockmgr then.
2007-02-12 12:19:43
This is the kiddies looking for hosts running Webmin on Usermin. There is a vuln from June 30 2006 (BID 18744; CVE-2006-3392) which allows an attacker to request an arbitrary file from the remote host without authenticating to webmin. The mass auto-rooters that I've captured for this vuln request /etc/shadow, and then send the file via email to a yahoo account by default. There was also a Metasploit module published recently for the vuln. There is also a format string bug and integar overflow in Webmin, but there are no public sploits for them (CANVAS has one). Versions of Webmin older than 1.290 are effected by BID 18744, as well as versions of Usermin older than 1.220. If you're running Webmin or Usermin, take a look at your miniserv.log (/var/log/webmin/miniserv.log). You should see a great deal of requests for /etc/shadow. Usermin also runs on port 20000. Look for a directory called w, and/or a file called pscan2. Both these were used in the auto-rooters I was able to capture.
Dave Larter 2007-02-12 12:19:32
This port is also used by Sage MAS90/200 accounting software
Dave Larter 2007-02-12 12:17:29
This port is also used by Sage MAS90/200 accounting software
2007-02-12 12:16:09
This is the kiddies looking for hosts running Webmin on Usermin. There is a vuln from June 30 2006 (BID 18744; CVE-2006-3392) which allows an attacker to request an arbitrary file from the remote host without authenticating to webmin. The mass auto-rooters that I've captured for this vuln request /etc/shadow, and then send the file via email to a yahoo account by default. There was also a Metasploit module published recently for the vuln. There is also a format string bug and integar overflow in Webmin, but there are no public sploits for them (CANVAS has one). Versions of Webmin older than 1.290 are effected by BID 18744, as well as versions of Usermin older than 1.220. If you're running Webmin or Usermin, take a look at your miniserv.log (/var/log/webmin/miniserv.log). You should see a great deal of requests for /etc/shadow. Usermin also runs on port 20000. Look for a directory called w, and/or a file called pscan2. Both these were used in the auto-rooters I was able to capture.
Thom del la Franssen and Marco del Semmlero 2006-01-12 23:48:29
Used by CISCO VPN-Client (TCP and UDP) -- IPSec over TCP or over UDP.
Melvin 2005-12-20 05:47:47
There is a format-string vulnerability in the PERL code for WEBMIN, that can be exploited without needing authentication to WEBMIN. Reference: http://www.dyadsecurity.com/webmin-0001.html
Nico Baggus 2005-11-08 20:48:28
Port 10000 is also used by webmin
Tracy Bost 2005-07-06 15:32:41
Port 10000 is the default port used by the Zabbix agent.
Tracy Bost 2005-07-06 15:32:00
Port 10000 is the default port used by the Zabbix agent.
Joel Esler 2005-06-28 20:40:47
On 24th of June 2005, the metasploit plugin for the Veritas Backup Exploit was released. Since then Scanning for port 10000 has been astronomically high.
2005-04-06 10:36:45
Wird verwendet für den Verbindungsaufbau zwischen dem Medienserver und den (Windows-)RemoteAgent von Veritas Backup-Exec
Jean-Pierre Denis 2003-02-14 09:51:50
port 10000 is also the default port use by Webmin a web-based interface for system administration of Unix and linux.
Add a comment

CVE Links

CVE # Description
CVE-2005-773 "Stack-based buffer overflow in VERITAS Backup Exec Remote Agent 9.0 through 10.0 for Windows