Security Incidents mailing list archives

Re: UDP port 2140 ?

From: Wayne Langlois <wayne () DIAMONDCS COM AU>
Date: Mon, 14 Aug 2000 15:59:00 -0000

Alex,

You are being scanned by a hacker using a DeepThroat remote 
access trojan client - could be version 1, 2, or 3. The 
default server port is UDP 2140, the client binds to UDP 
60000. If the said hacker was using a custom-made program, 
their port may not be 60000. We have many variants 
including Foreplay, WinNuke Extreme Dropper, Winspoofer 
Dropper, DarkStar 1.0, DarkStar 1.1, DXBall & TetrisSquare 
Droppers, as well as standard versions - 1.0, 2.0, 2.1, 
3.0, 3.1, 3.1b. Despite the many variants, it is not a very 
commonly used trojan. The DeepThroat homepage (as cited in 
the DeepThroat readme.rtf) is http://deept.cjb.net

Kind regards,
wayne () diamondcs com au

Any idea what this port is?  I have seen scans on my whole

class C scanned from port 60000 on 193.230.162.187 and from 
193.230.162.250, also source port 2140.

It has happeded some time ago, while I was out of town.

I have looked in the archives and the usual firewall-seen 
sites, but no luck.

Current thread:

UDP port 2140 ? Alex Popa (Aug 13)
- Re: UDP port 2140 ? Wayne Langlois (Aug 14)
- <Possible follow-ups>
- UDP port 2140 ? Dave Killion (Aug 14)