[lug] outgoing port 220 exploit?

David Anselmi anselmi at anselmi.us
Tue Jan 20 14:57:26 MST 2004

D. Stimits wrote:
> Going to work with nmap also, but I think the 3 separate major versions 
> of KRUD doing same thing at staggered intervals is a relay. 6129 is the 
> local port during outgoing packets, not incoming. The destination port 
> is tcp 220. I have been unable to find anything creating this as a local 
> process but am working on it still.

Your terminology is a little fuzzy.  6129 is the local port, 220 the 
remote, from your perspective.

6129 is the source port for outbound packets and the destination port 
for inbound packets (that Kevin has hypothesized).  220 is the 
destination port for outbound packets and the source port for (Kevin's 
hypothetical) inbound packets.  ipchains makes this distinction in its 

I assume you're using nmap from another box.  You should use tcpdump 
from another box too, to see if any inbound traffic to the affected box 
is suspicious, uninfluenced by ipchains or malicious code.


More information about the LUG mailing list