Security Incidents mailing list archives

Re: Port 555 scan

From: Ryan Russell <ryan () SECURITYFOCUS COM>
Date: Fri, 9 Feb 2001 18:16:33 -0700

So I went looking through my BlackICE logs, and found this:

59, 2001-02-08 21:09:50, 2003101, TCP trojan horse probe, 211.193.34.30,
LINOO, 63.202.179.99, , port=555&name=Phase+Zero, 2, A

And sure enough, 211.193.34.30 is listening at port 27374. (The port Ramen
uses to download itself onto new machines.)

Perhaps there's a Ramen variant.  Anyone know what kind of command Ramen
expects on 27374 before it will send itself?  It would accept a
few keystrokes from me, and then disconnect.

                                        Ryan

Current thread:

Re: Port 555 scan Ryan Russell (Feb 10)
- <Possible follow-ups>
- Re: Port 555 scan Ryan Russell (Feb 10)
  - Re: Port 555 scan me (Feb 12)
- Port 555 scan me (Feb 10)
  - Re: Port 555 scan Rod Longanilla (Feb 10)
  - Re: Port 555 scan Aaron (Feb 10)
- Re: Port 555 scan Alex Luketa (Feb 10)
- Re: Port 555 scan Robert G. Ferrell (Feb 12)
- Re: Port 555 scan John Paul (Feb 12)
  - Re: Port 555 scan Robert van der Meulen (Feb 13)