Security Incidents mailing list archives
Re: Port: 27374 asp
From: Max0r <max0r () SERVER5 CREATIVE-WEBS COM>
Date: Fri, 18 Aug 2000 03:45:56 -0600
Port 27374 is used by the latest (2.1) release of the Sub7 trojan. This trojan infects windows 9x/NT hosts. The main distribution site for Sub7 is, sub7.slak.org. I suggest downloading the client, and trying to connect to yourself. If you _can_ connect to yourself without a password, you can remove the trojan with the click of a mouse. Otherwise, try your antivirus software. -Max On Thu, 17 Aug 2000, Tom Fischer wrote:
veral adresses. I'm not afraid about that but don't know what services use this port. I thought about a trojan but can't find anything. Can anybody tell something or explain me what services use 27374. Thx Tom Fischer From owner-incidents () SECURITYFOCUS COM Fri Aug 18 02:03:05 2000 Return-Path: <owner-incidents () SECURITYFOCUS COM> Received: from lists.securityfocus.com (lists.securityfocus.com [207.126.127.68]) by server5.creative-webs.com (8.9.3/8.9.3) with ESMTP id CAA06877 for <max0r () SERVER5 CREATIVE-WEBS COM>; Fri, 18 Aug 2000 02:03:05 -0600 Received: from lists.securityfocus.com (lists.securityfocus.com [207.126.127.68]) by lists.securityfocus.com (Postfix) with ESMTP id 7A3D72128B; Thu, 17 Aug 2000 23:36:41 -0700 (PDT) Received: from LISTS.SECURITYFOCUS.COM by LISTS.SECURITYFOCUS.COM (LISTSERV-TCP/IP release 1.8d) with spool id 11715029 for INCIDENTS () LISTS SECURITYFOCUS COM; Thu, 17 Aug 2000 23:36:22 -0700 Approved-By: aleph1 () SECURITYFOCUS COM Delivered-To: incidents () lists securityfocus com Received: from securityfocus.com (mail.securityfocus.com [207.126.127.78]) by lists.securityfocus.com (Postfix) with SMTP id 8AB0C1F22D for <incidents () lists securityfocus com>; Wed, 16 Aug 2000 06:39:16 -0700 (PDT) Received: (qmail 11849 invoked by alias); 16 Aug 2000 13:40:07 -0000 Delivered-To: INCIDENTS () SECURITYFOCUS COM Received: (qmail 11846 invoked from network); 16 Aug 2000 13:40:07 -0000 Received: from c014-h023.c014.sfo.cp.net (HELO c014.sfo.cp.net) (209.228.12.87) by mail.securityfocus.com with SMTP; 16 Aug 2000 13:40:07 -0000 Received: (cpmta 2372 invoked from network); 16 Aug 2000 06:39:14 -0700 Received: from 3ff82a41.dsl.flashcom.net (HELO SentelleD) (63.248.42.65) by smtp.flashcom.net with SMTP; 16 Aug 2000 06:39:14 -0700 X-Sent: 16 Aug 2000 13:39:14 GMT MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Message-ID: <CBELLIBIKDHENCIBFJFMKEJKCDAA.CompuVeg () Columbus RR Com> Date: Wed, 16 Aug 2000 09:36:27 -0400 Reply-To: Computer Vegetable <CompuVeg () COLUMBUS RR COM> Sender: Incidents Mailing List <INCIDENTS () SECURITYFOCUS COM> From: Computer Vegetable <CompuVeg () COLUMBUS RR COM> Subject: Sniffer on my network To: INCIDENTS () SECURITYFOCUS COM Status: RO X-Status: X-Keywords: X-UID: 27 At my office I've recently installed a network monitoring package called LanGuard. One of the things this tool does is find network sniffers on your network. I didn't expect to see any, but as it turns out one of our workstations is showing up as a sniffer. I am unable to find any processes running on the machine with unidentifiable sources. I'm also unable to find any known Trojans or other viruses on that machine. The only odd thing that I have found is that anytime a network cable is plugged into the workstation in question, the address 13.10.15.10 shows up IMMEDIATELY in the ARP. Has anyone seen anything like this? ARIN says the address is owned by Xerox PARC, who's admin says that IP is theirs, but not currently in use. Thanks From owner-vuln-dev () SECURITYFOCUS COM Fri Aug 18 02:19:38 2000 Return-Path: <owner-vuln-dev () SECURITYFOCUS COM> Received: from lists.securityfocus.com (lists.securityfocus.com [207.126.127.68]) by server5.creative-webs.com (8.9.3/8.9.3) with ESMTP id CAA07696 for <max0r () SERVER5 CREATIVE-WEBS COM>; Fri, 18 Aug 2000 02:19:37 -0600 Received: from lists.securityfocus.com (lists.securityfocus.com [207.126.127.68]) by lists.securityfocus.com (Postfix) with ESMTP id 8AAD123514; Fri, 18 Aug 2000 00:33:18 -0700 (PDT) Received: from LISTS.SECURITYFOCUS.COM by LISTS.SECURITYFOCUS.COM (LISTSERV-TCP/IP release 1.8d) with spool id 11718849 for VULN-DEV () LISTS SECURITYFOCUS COM; Fri, 18 Aug 2000 00:32:47 -0700 Approved-By: BlueBoar () THIEVCO COM Delivered-To: vuln-dev () lists securityfocus com Received: from securityfocus.com (mail.securityfocus.com [207.126.127.78]) by lists.securityfocus.com (Postfix) with SMTP id 3E6E01EEBE for <vuln-dev () lists securityfocus com>; Thu, 17 Aug 2000 20:32:54 -0700 (PDT) Received: (qmail 18887 invoked by alias); 18 Aug 2000 03:33:47 -0000 Delivered-To: VULN-DEV () SECURITYFOCUS COM Received: (qmail 18884 invoked from network); 18 Aug 2000 03:33:46 -0000 Received: from fep4-orange.clear.net.nz (203.97.32.4) by mail.securityfocus.com with SMTP; 18 Aug 2000 03:33:46 -0000 Received: from nick (b001-m003-p043.chch.clear.net.nz [203.167.204.107]) by fep4-orange.clear.net.nz (1.5/1.7) with SMTP id PAA00723; Fri, 18 Aug 2000 15:32:42 +1200 (NZST) MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Priority: normal X-mailer: Pegasus Mail for Win32 (v2.53/R1) Message-ID: <200008180332.PAA00723 () fep4-orange clear net nz> Date: Fri, 18 Aug 2000 15:32:47 +1200 Reply-To: nick () virus-l demon co uk Sender: VULN-DEV List <VULN-DEV () SECURITYFOCUS COM> Comments: Authenticated sender is <nick () virus-l demon co uk@pop3.demon.co.uk> From: Nick FitzGerald <nick () virus-l demon co uk> Organization: Personal account Subject: Re: Whats this "repair.hta" To: VULN-DEV () SECURITYFOCUS COM Status: O X-Status: X-Keywords: X-UID: 28 Mick Pollard once said:This is my first post here. Hope someone can shed some light on this for me. I just found this on my windblows box and is not sure what it is \?? Anyone help me identify it ?? It is in my startup folder. Its called "repair.hta"Unfortunately, the file itself does not necessarily help us know what is (or maybe "was") wrong with your setup. That it is an HTA and maybe was in your Startup directory is a good hint. Many HTAs are delivered there via the Scriptlet.TypeLib bug -- an ActiveX control that installs itself "safe for scripting" but which happily makes files with names and locations as specified by a script. Microsoft only patched this a year ago, and judging from the number of people still getting infected with JS/Kak, I'd say not having the patch applied is about par for the course... The MS Security Bulletin on this is at: http://www.microsoft.com/technet/security/bulletin/ms99-032.aspI have included the source code. See attachment.Well, that allowed people to tell you what compromise you had been hit with due to receiving an Email or browsing a web page that exploits that hole, but it does not necessarily help in determining the actual security flaw in your machine... We have seen several other droppers and drive-trashers delivered in what I suspect is the same way. [BTW, I'm not on this list, so if you want to respond *to me*, Email or CC me.] -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 From owner-incidents () SECURITYFOCUS COM Fri Aug 18 02:28:42 2000 Return-Path: <owner-incidents () SECURITYFOCUS COM> Received: from lists.securityfocus.com (lists.securityfocus.com [
Current thread:
- Port: 27374 asp Tom Fischer (Aug 18)
- Re: Port: 27374 asp Max0r (Aug 18)
- Re: Port: 27374 asp Bruce Dang (Aug 21)
- <Possible follow-ups>
- Re: Port: 27374 asp Robert Turner (Aug 18)
- Re: Port: 27374 asp Forrester, Mike (Aug 21)