UAAC Protocol ?

From: Clarke, Suzy (suzy.clarke@cgey.com)
Date: 06/26/02


From: "Clarke, Suzy" <suzy.clarke@cgey.com>
To: incidents@securityfocus.com
Date: Wed, 26 Jun 2002 09:42:46 +0100

Hi all,

Last year the XC telnetd worm infected machines running the BSD based telnet
daemon. Amongst other things it installed a rootshell backdoor on TCP port
145.

This port is reserved for a service called "UAAC" [it's defined by default
in FreeBSD's /etc/services file]
Does anyone have any idea what it's legitimately used for?

I've checked the RFCs and done a Google search but they haven't turned up
anything. In several port listings a David Gomberg at Mitre
[gomberg@gateway.mitre.org] is listed as the contact for this service but
mail to that address bounces. I was also referred to him by IANA. Does
anyone have an alternate email for him?

I contacted Ryan Russell at Sec Focus as he did the original XC worm
analysis but he doesn't know what UAAC is used for either.

If you've got any ideas or info please let me know.
Thanks,
Suzy

********************************************************************************************
" This message contains information that may be privileged or confidential and
is the property of the Cap Gemini Ernst & Young Group. It is intended only for
the person to whom it is addressed. If you are not the intended recipient, you
are not authorized to read, print, retain, copy, disseminate, distribute, or use
this message or any part thereof. If you receive this message in error, please
notify the sender immediately and delete all copies of this message ".
********************************************************************************************

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: nc help needed.
    ... Try to use a different port and see if it is working. ... An example is the NETBIOS Session Service ... the reader of this message is not the intended recipient, ...
    (Security-Basics)
  • SUMMARY: How to determine what app/program is using a spcific TCP or UDP p ort.
    ... pfiles | grep port. ... Grand Canal Plaza, Upper Grand Canal Street, Dublin, Ireland ... This electronic message contains information from ... If you are not the intended recipient be aware that any ...
    (SunManagers)
  • Re: vsftp help
    ... Must be some sort of config error I guess. ... Look for that possibly, or use port ... >>200 PORT command successful. ... authorized representative of the intended recipient, any review, copying ...
    (RedHat)
  • IPP (631/tcp) Scans
    ... Subject: IPP Scans ... what's up with all of the attention on port 631/tcp from the k1dd33z? ... The information contained in this e-mail message is confidential, ... the reader of this e-mail is not the intended recipient, ...
    (Incidents)
  • Re: IPFW almost works now -> stateful rules
    ... >> there is no rule for the port 21. ... > This has been discussed before: his FTP server is listening on a high port. ... The information contained in this e-mail message is confidential, ... the reader of this e-mail is not the intended recipient, ...
    (FreeBSD-Security)