Security Incidents mailing list archives
New trojan running in port 12345?
From: Martin H Hoz-Salvador <mhoz () citi com mx>
Date: Tue, 19 Dec 2000 23:30:21 -0600
I've had a lot of scans to my internal network to port 12345 since past december 15. It's quite normal for me to see scans looking for NetBus at 12345, but this time scans have been quite intensive. The time between consecutive packets it's 5 seconds, and these are some sample logs I have: Dec 15 2000 01:40:03 TCP netscan from 211.110.69.203 to port 12345 Dec 15 2000 03:54:09 TCP netscan from 211.186.92.53 to port 12345 Dec 15 2000 05:40:19 TCP netscan from 211.106.196.250 to port 12345 Dec 15 2000 07:10:31 TCP netscan from 216.206.93.115 to port 12345 Dec 15 2000 07:13:18 TCP netscan from 211.59.110.170 to port 12345 Dec 15 2000 07:37:07 TCP netscan from 211.104.39.12 to port 12345 Dec 15 2000 07:46:47 TCP netscan from 211.117.204.8 to port 12345 [SNIP] Dec 16 2000 00:00:47 TCP netscan from 210.182.33.153 to port 12345 Dec 16 2000 00:04:16 TCP netscan from 211.195.119.253 to port 12345 Dec 16 2000 00:08:47 TCP netscan from 211.247.76.18 to port 12345 Dec 16 2000 00:15:37 TCP netscan from 24.176.170.123 to port 12345 Dec 16 2000 01:09:38 TCP netscan from 209.53.141.69 to port 12345 Dec 16 2000 02:56:47 TCP netscan from 211.59.92.44 to port 12345 [SNIP] Dec 17 2000 00:00:02 TCP netscan from 211.179.177.165 to port 12345 Dec 17 2000 00:00:13 TCP netscan from 24.161.92.159 to port 12345 Dec 17 2000 00:12:52 TCP netscan from 211.107.211.143 to port 12345 Dec 17 2000 00:14:31 TCP netscan from 211.53.178.101 to port 12345 Dec 17 2000 00:16:35 TCP netscan from 210.207.242.11 to port 12345 [SNIP] Dec 18 2000 00:16:22 TCP netscan from 211.181.27.38 to port 12345 Dec 18 2000 00:35:15 TCP netscan from 203.228.215.11 to port 12345 Dec 18 2000 00:55:52 TCP netscan from 211.63.151.234 to port 12345 [SNIP] Dec 18 2000 17:27:41 TCP netscan from 24.24.165.21 to port 12345 Dec 18 2000 18:32:05 TCP netscan from 211.222.152.33 to port 12345 Dec 18 2000 19:18:01 TCP netscan from 211.170.46.111 to port 12345 [SNIP] Dec 19 2000 17:00:03 TCP netscan from 211.234.168.220 to port 12345 Dec 19 2000 17:12:45 TCP netscan from 24.14.101.226 to port 12345 Dec 19 2000 19:26:09 TCP netscan from 24.19.20.116 to port 12345 Dec 19 2000 19:39:01 TCP netscan from 211.105.70.185 to port 12345 As you see, the other strange pattern is that most of scans come from APNIC assigned addresses. Unfortunately, I don't have any "raw sessions" records from my IDS right now, but I have reconfigured it to record future sessions. Do you have any ideas about it? Regards. -- M. Hoz
Current thread:
- New trojan running in port 12345? Martin H Hoz-Salvador (Dec 20)
- Re: New trojan running in port 12345? Russell Fulton (Dec 21)
- Re: New trojan running in port 12345? Jose Nazario (Dec 21)
- <Possible follow-ups>
- Re: New trojan running in port 12345? Edwards, David (JTD) (Dec 21)
- Re: New trojan running in port 12345? claymore (Dec 21)
- Re: New trojan running in port 12345? Edwards, David (JTD) (Dec 21)
- Re: New trojan running in port 12345? Michael H. Warfield (Dec 21)
- Re: New trojan running in port 12345? Russell Fulton (Dec 21)