Re: Port 65531 Remote Command Prompt

[Michael Mills <mmills () RKON COM>]

I have also seen this port used as a replacement port for BitTorent clients.



Michael Mills


-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Cam Beasley, ISO
Sent: Tuesday, August 31, 2004 10:24 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Port 65531 Remote Command Prompt

David --

This might be a side-effect of a Gaobot|Rbot|SDbot varietal compromise.
IDS sigs targeting both specific IRC activity and LSASS scans
can be useful in identifying problem hosts.

I've seen similar rogueFTPs listening on various non-standard ports.

best of luck,

~cam

Cam Beasley CISSP CIFI
Sr. InfoSec Analyst
Information Security Office
The University of Texas at Austin
cam () austin utexas edu
---------------------------
Report Abuse To:
- abuse () utexas edu
- 512.475.9242
---------------------------


-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv on behalf of David
Taylor
Sent: Tue 8/31/2004 14:42
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Port 65531 Remote Command Prompt

Hi All,

We have been seeing some of the systems on our campus listening on port
65531 which returns a Windows Command Prompt banner:

Grabbing the banner from the port below returns:
TCP ports: 65531


TCP 65531:
[Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000
Microsoft Corp. C:\WINNT\system
32> C:\WINNT\system32> C:\WINNT\system32>]

Has anyone else been finding this on their networks?

======================================================
David Taylor    // Sr. Information Security Specialist
Information Systems & Computing //Information Security
University of Pennsylvania      // Philadelphia PA USA
LTR () ISC UPENN EDU                       (215) 898-1236
http://www.upenn.edu/computing/security
======================================================

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.




**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.

This email and any files transmitted with it are confidential and intended solely for the use of the individual or 
entity to whom they are addressed. If you have received this email in error please notify the system manager. This 
message contains confidential information and is intended only for the individual named. If you are not the named 
addressee you should not disseminate, distribute or copy this e-mail.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.