Security Incidents mailing list archives

Re: Firewall hits/unknown ports

From: Stephen <sa7ori () tasam com>
Date: Sun, 4 Nov 2001 21:39:28 -0500 (EST)

<RANT>
I dont want to sound like a pompous arse, but I think we should be
careful with asking questions like this. In the tradition of making
oversimilified and romantic analogies to the biological world, the
internet, and the world's public networks are like forrests. There is a
certain degree of chaos and a certain degree of natural order to their
basic operation. the chaos factor comes from the human interaction with
teh technology.
</RANT>

Trojans, and backdoors are equally as unpredictable. you
can with one line (in inetd) append a line binding a shell to ANY port.
You can write ANY number of programs or scripts to do the same on
unprivileged ports without root. from the network stuff like that is even
less predicatable because of the plethora of client connection initiation
done BEHIND the firewall. some innocuous client software could use the
higher port numbers for nonpassive communication or something. it could be
anything. have you tried to connect to  the host targeted on that port?
throwing shell commands at it? if you have console access to teh machine,
look at all process, if there is a live connection, sniff it. the
wilderness of our networks can be incredibly dynamic, we have to cope with
this, and be innovative and dilligent in our conquest to grok the vast
expanse of information. do your part to contribute to the
"bodiless exhultation that is the matrix". heh. oi. BRAAAAAAZIILLLLLLLL!.


On Sun, 4 Nov 2001 bonk () webchat chatsystems com
wrote:



Anyone know what trojans/backdoors run on 22634, 24544 and 29319 ?
Snort.org doesn't list these.





80            24.23.170.219           http            Nov  4 03:56:14
80            24.23.19.114            http            Nov  4 03:13:24
80            24.23.170.219           http            Nov  4 02:57:32
80            24.23.170.219           http            Nov  4 02:57:29
80            24.23.170.219           http            Nov  4 02:44:27
80            24.23.170.219           http            Nov  4 02:08:54
80            24.23.170.219           http            Nov  4 02:08:51
80            24.100.151.92           http            Nov  4 02:01:11
80            24.100.151.92           http            Nov  4 02:01:08
80            24.214.18.131           http            Nov  4 00:57:24
80            67.164.189.42           http            Nov  4 00:16:15
25            67.164.189.42           smtp            Nov  4 00:16:14
110           67.164.189.42           pop3            Nov  4 00:16:14
21            67.164.189.42           ftp             Nov  4 00:16:13
7             67.164.189.42           echo            Nov  4 00:16:13
53            67.164.189.42           domain          Nov  4 00:16:09
22634         24.254.60.19            unknown         Nov  3 23:49:26
22634         24.254.60.19            unknown         Nov  3 23:48:26
22634         24.254.60.19            unknown         Nov  3 23:47:26
22634         24.254.60.19            unknown         Nov  3 23:46:26
22634         24.254.60.19            unknown         Nov  3 23:45:26
22634         24.254.60.19            unknown         Nov  3 23:44:26
22634         24.254.60.19            unknown         Nov  3 23:43:26
22634         24.254.60.19            unknown         Nov  3 23:42:26
22634         24.254.60.19            unknown         Nov  3 23:41:53
22634         24.254.60.19            unknown         Nov  3 23:41:36
22634         24.254.60.19            unknown         Nov  3 23:41:28
80            24.23.170.219           http            Nov  3 23:39:37
80            24.51.8.166             http            Nov  3 22:57:26
80            24.51.8.166             http            Nov  3 22:57:23
80            24.23.170.219           http            Nov  3 22:47:18
80            24.23.170.219           http            Nov  3 22:47:15
21            80.11.127.241           ftp             Nov  3 22:39:47
21            80.11.127.241           ftp             Nov  3 22:39:41
80            24.23.19.114            http            Nov  3 22:29:26
80            24.23.19.114            http            Nov  3 22:29:23
80            24.23.170.219           http            Nov  3 22:13:45
80            24.23.170.219           http            Nov  3 22:01:43
80            24.23.170.219           http            Nov  3 22:01:40
80            24.23.19.114            http            Nov  3 21:30:41
80            24.23.19.114            http            Nov  3 21:30:38
27374         24.19.71.108            Sub7            Nov  3 21:18:13
27374         24.19.71.108            Sub7            Nov  3 21:18:01
27374         24.19.71.108            Sub7            Nov  3 21:17:55
27374         24.19.71.108            Sub7            Nov  3 21:17:52
80            24.23.19.114            http            Nov  3 20:44:14
80            24.23.19.114            http            Nov  3 20:44:11
80            24.23.19.114            http            Nov  3 20:34:55
80            24.23.19.114            http            Nov  3 20:34:52
80            24.23.19.114            http            Nov  3 20:18:01
80            24.23.19.114            http            Nov  3 20:17:58
80            24.23.170.219           http            Nov  3 20:17:05
80            24.23.170.219           http            Nov  3 20:10:24
80            24.23.170.219           http            Nov  3 20:10:22
34554         24.254.60.39            unknown         Nov  3 20:01:40
80            24.23.170.219           http            Nov  3 20:01:04
80            24.23.170.219           http            Nov  3 20:01:02
34554         24.254.60.39            unknown         Nov  3 20:00:40
34554         24.254.60.39            unknown         Nov  3 19:59:40
34554         24.254.60.39            unknown         Nov  3 19:58:40
34554         24.254.60.39            unknown         Nov  3 19:57:40
34554         24.254.60.39            unknown         Nov  3 19:56:40
34554         24.254.60.39            unknown         Nov  3 19:55:40
34554         24.254.60.39            unknown         Nov  3 19:55:02
34554         24.254.60.39            unknown         Nov  3 19:54:43
34554         24.254.60.39            unknown         Nov  3 19:54:33
53            202.138.113.150         domain          Nov  3 19:54:12
53            202.138.113.150         domain          Nov  3 19:54:06
53            202.138.113.150         domain          Nov  3 19:54:03
27374         24.156.37.3             Sub7            Nov  3 19:42:12
27374         24.156.37.3             Sub7            Nov  3 19:42:06
27374         24.156.37.3             Sub7            Nov  3 19:42:02
80            24.23.19.114            http            Nov  3 19:23:08
80            24.23.19.114            http            Nov  3 19:23:05
111           211.112.143.2           sunrpc          Nov  3 19:22:33
80            24.23.19.114            http            Nov  3 19:21:11
80            24.23.19.114            http            Nov  3 19:21:07
80            24.23.19.114            http            Nov  3 19:11:52
80            24.23.19.114            http            Nov  3 19:11:49
80            24.16.82.182            http            Nov  3 16:25:40
80            24.16.82.182            http            Nov  3 16:25:37
80            24.12.210.113           http            Nov  3 15:50:57
80            24.12.210.113           http            Nov  3 15:50:54
29319         24.254.60.33            unknown         Nov  3 10:13:09
29319         24.254.60.33            unknown         Nov  3 10:12:09
29319         24.254.60.33            unknown         Nov  3 10:11:09
29319         24.254.60.33            unknown         Nov  3 10:10:09
29319         24.254.60.33            unknown         Nov  3 10:09:09
29319         24.254.60.33            unknown         Nov  3 10:08:09
29319         24.254.60.33            unknown         Nov  3 10:07:09
29319         24.254.60.33            unknown         Nov  3 10:06:33
29319         24.254.60.33            unknown         Nov  3 10:06:15
29319         24.254.60.33            unknown         Nov  3 10:06:06
80            213.96.11.21            http            Nov  3 09:52:33
515           157.238.46.30           printer         Nov  3 08:15:20
515           157.238.46.30           printer         Nov  3 08:15:17
111           211.100.18.45           sunrpc          Nov  3 07:54:16
111           211.100.18.45           sunrpc          Nov  3 07:54:13
80            24.234.87.155           http            Nov  3 06:15:40
80            24.234.87.155           http            Nov  3 06:15:37




Bonk
Bonk () cyberabuse org


================================================


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Firewall hits/unknown ports bonk (Nov 04)
- Re: Firewall hits/unknown ports Stephen (Nov 04)
  - RE: Firewall hits/unknown ports Loki (Nov 04)
- Re: Firewall hits/unknown ports Glenn Forbes Fleming Larratt (Nov 04)
  - Re: Firewall hits/unknown ports Valdis . Kletnieks (Nov 04)
- Re: Firewall hits/unknown ports Nick FitzGerald (Nov 08)
- <Possible follow-ups>
- RE: Firewall hits/unknown ports Barber, Chris (Nov 05)
  - Re: Firewall hits/unknown ports freehold (Nov 05)