Security Incidents mailing list archives
Re: Firewall hits/unknown ports
From: Stephen <sa7ori () tasam com>
Date: Sun, 4 Nov 2001 21:39:28 -0500 (EST)
<RANT> I dont want to sound like a pompous arse, but I think we should be careful with asking questions like this. In the tradition of making oversimilified and romantic analogies to the biological world, the internet, and the world's public networks are like forrests. There is a certain degree of chaos and a certain degree of natural order to their basic operation. the chaos factor comes from the human interaction with teh technology. </RANT> Trojans, and backdoors are equally as unpredictable. you can with one line (in inetd) append a line binding a shell to ANY port. You can write ANY number of programs or scripts to do the same on unprivileged ports without root. from the network stuff like that is even less predicatable because of the plethora of client connection initiation done BEHIND the firewall. some innocuous client software could use the higher port numbers for nonpassive communication or something. it could be anything. have you tried to connect to the host targeted on that port? throwing shell commands at it? if you have console access to teh machine, look at all process, if there is a live connection, sniff it. the wilderness of our networks can be incredibly dynamic, we have to cope with this, and be innovative and dilligent in our conquest to grok the vast expanse of information. do your part to contribute to the "bodiless exhultation that is the matrix". heh. oi. BRAAAAAAZIILLLLLLLL!. On Sun, 4 Nov 2001 bonk () webchat chatsystems com wrote:
Anyone know what trojans/backdoors run on 22634, 24544 and 29319 ? Snort.org doesn't list these. 80 24.23.170.219 http Nov 4 03:56:14 80 24.23.19.114 http Nov 4 03:13:24 80 24.23.170.219 http Nov 4 02:57:32 80 24.23.170.219 http Nov 4 02:57:29 80 24.23.170.219 http Nov 4 02:44:27 80 24.23.170.219 http Nov 4 02:08:54 80 24.23.170.219 http Nov 4 02:08:51 80 24.100.151.92 http Nov 4 02:01:11 80 24.100.151.92 http Nov 4 02:01:08 80 24.214.18.131 http Nov 4 00:57:24 80 67.164.189.42 http Nov 4 00:16:15 25 67.164.189.42 smtp Nov 4 00:16:14 110 67.164.189.42 pop3 Nov 4 00:16:14 21 67.164.189.42 ftp Nov 4 00:16:13 7 67.164.189.42 echo Nov 4 00:16:13 53 67.164.189.42 domain Nov 4 00:16:09 22634 24.254.60.19 unknown Nov 3 23:49:26 22634 24.254.60.19 unknown Nov 3 23:48:26 22634 24.254.60.19 unknown Nov 3 23:47:26 22634 24.254.60.19 unknown Nov 3 23:46:26 22634 24.254.60.19 unknown Nov 3 23:45:26 22634 24.254.60.19 unknown Nov 3 23:44:26 22634 24.254.60.19 unknown Nov 3 23:43:26 22634 24.254.60.19 unknown Nov 3 23:42:26 22634 24.254.60.19 unknown Nov 3 23:41:53 22634 24.254.60.19 unknown Nov 3 23:41:36 22634 24.254.60.19 unknown Nov 3 23:41:28 80 24.23.170.219 http Nov 3 23:39:37 80 24.51.8.166 http Nov 3 22:57:26 80 24.51.8.166 http Nov 3 22:57:23 80 24.23.170.219 http Nov 3 22:47:18 80 24.23.170.219 http Nov 3 22:47:15 21 80.11.127.241 ftp Nov 3 22:39:47 21 80.11.127.241 ftp Nov 3 22:39:41 80 24.23.19.114 http Nov 3 22:29:26 80 24.23.19.114 http Nov 3 22:29:23 80 24.23.170.219 http Nov 3 22:13:45 80 24.23.170.219 http Nov 3 22:01:43 80 24.23.170.219 http Nov 3 22:01:40 80 24.23.19.114 http Nov 3 21:30:41 80 24.23.19.114 http Nov 3 21:30:38 27374 24.19.71.108 Sub7 Nov 3 21:18:13 27374 24.19.71.108 Sub7 Nov 3 21:18:01 27374 24.19.71.108 Sub7 Nov 3 21:17:55 27374 24.19.71.108 Sub7 Nov 3 21:17:52 80 24.23.19.114 http Nov 3 20:44:14 80 24.23.19.114 http Nov 3 20:44:11 80 24.23.19.114 http Nov 3 20:34:55 80 24.23.19.114 http Nov 3 20:34:52 80 24.23.19.114 http Nov 3 20:18:01 80 24.23.19.114 http Nov 3 20:17:58 80 24.23.170.219 http Nov 3 20:17:05 80 24.23.170.219 http Nov 3 20:10:24 80 24.23.170.219 http Nov 3 20:10:22 34554 24.254.60.39 unknown Nov 3 20:01:40 80 24.23.170.219 http Nov 3 20:01:04 80 24.23.170.219 http Nov 3 20:01:02 34554 24.254.60.39 unknown Nov 3 20:00:40 34554 24.254.60.39 unknown Nov 3 19:59:40 34554 24.254.60.39 unknown Nov 3 19:58:40 34554 24.254.60.39 unknown Nov 3 19:57:40 34554 24.254.60.39 unknown Nov 3 19:56:40 34554 24.254.60.39 unknown Nov 3 19:55:40 34554 24.254.60.39 unknown Nov 3 19:55:02 34554 24.254.60.39 unknown Nov 3 19:54:43 34554 24.254.60.39 unknown Nov 3 19:54:33 53 202.138.113.150 domain Nov 3 19:54:12 53 202.138.113.150 domain Nov 3 19:54:06 53 202.138.113.150 domain Nov 3 19:54:03 27374 24.156.37.3 Sub7 Nov 3 19:42:12 27374 24.156.37.3 Sub7 Nov 3 19:42:06 27374 24.156.37.3 Sub7 Nov 3 19:42:02 80 24.23.19.114 http Nov 3 19:23:08 80 24.23.19.114 http Nov 3 19:23:05 111 211.112.143.2 sunrpc Nov 3 19:22:33 80 24.23.19.114 http Nov 3 19:21:11 80 24.23.19.114 http Nov 3 19:21:07 80 24.23.19.114 http Nov 3 19:11:52 80 24.23.19.114 http Nov 3 19:11:49 80 24.16.82.182 http Nov 3 16:25:40 80 24.16.82.182 http Nov 3 16:25:37 80 24.12.210.113 http Nov 3 15:50:57 80 24.12.210.113 http Nov 3 15:50:54 29319 24.254.60.33 unknown Nov 3 10:13:09 29319 24.254.60.33 unknown Nov 3 10:12:09 29319 24.254.60.33 unknown Nov 3 10:11:09 29319 24.254.60.33 unknown Nov 3 10:10:09 29319 24.254.60.33 unknown Nov 3 10:09:09 29319 24.254.60.33 unknown Nov 3 10:08:09 29319 24.254.60.33 unknown Nov 3 10:07:09 29319 24.254.60.33 unknown Nov 3 10:06:33 29319 24.254.60.33 unknown Nov 3 10:06:15 29319 24.254.60.33 unknown Nov 3 10:06:06 80 213.96.11.21 http Nov 3 09:52:33 515 157.238.46.30 printer Nov 3 08:15:20 515 157.238.46.30 printer Nov 3 08:15:17 111 211.100.18.45 sunrpc Nov 3 07:54:16 111 211.100.18.45 sunrpc Nov 3 07:54:13 80 24.234.87.155 http Nov 3 06:15:40 80 24.234.87.155 http Nov 3 06:15:37 Bonk Bonk () cyberabuse org ================================================ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Firewall hits/unknown ports bonk (Nov 04)
- Re: Firewall hits/unknown ports Stephen (Nov 04)
- RE: Firewall hits/unknown ports Loki (Nov 04)
- Re: Firewall hits/unknown ports Glenn Forbes Fleming Larratt (Nov 04)
- Re: Firewall hits/unknown ports Valdis . Kletnieks (Nov 04)
- Re: Firewall hits/unknown ports Nick FitzGerald (Nov 08)
- <Possible follow-ups>
- RE: Firewall hits/unknown ports Barber, Chris (Nov 05)
- Re: Firewall hits/unknown ports freehold (Nov 05)
- Re: Firewall hits/unknown ports Stephen (Nov 04)