Educause Security Discussion mailing list archives
Re: Port 65531 Remote Command Prompt
From: Michael Mills <mmills () RKON COM>
Date: Tue, 31 Aug 2004 22:28:33 -0500
I have also seen this port used as a replacement port for BitTorent clients. Michael Mills -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Cam Beasley, ISO Sent: Tuesday, August 31, 2004 10:24 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Port 65531 Remote Command Prompt David -- This might be a side-effect of a Gaobot|Rbot|SDbot varietal compromise. IDS sigs targeting both specific IRC activity and LSASS scans can be useful in identifying problem hosts. I've seen similar rogueFTPs listening on various non-standard ports. best of luck, ~cam Cam Beasley CISSP CIFI Sr. InfoSec Analyst Information Security Office The University of Texas at Austin cam () austin utexas edu --------------------------- Report Abuse To: - abuse () utexas edu - 512.475.9242 --------------------------- -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv on behalf of David Taylor Sent: Tue 8/31/2004 14:42 To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Port 65531 Remote Command Prompt Hi All, We have been seeing some of the systems on our campus listening on port 65531 which returns a Windows Command Prompt banner: Grabbing the banner from the port below returns: TCP ports: 65531 TCP 65531: [Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\WINNT\system 32> C:\WINNT\system32> C:\WINNT\system32>] Has anyone else been finding this on their networks? ====================================================== David Taylor // Sr. Information Security Specialist Information Systems & Computing //Information Security University of Pennsylvania // Philadelphia PA USA LTR () ISC UPENN EDU (215) 898-1236 http://www.upenn.edu/computing/security ====================================================== ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________ ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Port 65531 Remote Command Prompt David Taylor (Aug 31)
- <Possible follow-ups>
- Re: Port 65531 Remote Command Prompt Cam Beasley, ISO (Aug 31)
- Re: Port 65531 Remote Command Prompt Michael Mills (Aug 31)