RE: SUB7 (update) Now Netbus too!

["Fernando Cardoso" <fernando.cardoso () whatevernet com>]

12345 is a well-known port for trojans (mainly Netbus). With the
wide-deployment of the the crc32 compensation attack
detector exploit, and according with the analysis made by Dave Dittrich
(http://www.securityfocus.com/archive/1/225543), this port is also a
backdoor for compromised systems. I guess we will be seeing an increase on
port 12345 (and also 3879 -- see analysis doc) for the next days. Round
here, the last scan was made on Nov 4 from a dial-up box in France.

PS.: I've checked the existence of such a backdoor (TCP/12345) on a Swedish
box who scanned my half C class for port 22. I didn't log the entire packets
but origin was always port 22. Maybe a script using synscan?

Fernando


--
Fernando Cardoso - Security Consultant       WhatEverNet Computing, S.A.
Phone : +351 21 7994200                      Praca de Alvalade, 6 - Piso 6
Fax   : +351 21 7994242                      1700-036 Lisboa - Portugal
email : fernando.cardoso () whatevernet com     http://www.whatevernet.com/


> I send off the file to all those who requested and there has been a few
> updates since...
>
> one, i orginal IRC stated was WRONG.
>
> irc.ozmatrix.com
> chat.ozmatrix.com
>
> They also have a web site.
>
> http://www.geocities.com/ircx_chat/
>
> um, now its scanning for port 12345 along with scanning for sub7.
>
> Anyone pick up an increase in scans in port 12345 let me know...
>
> Thanks
> Brice Carlson
>
> _____
>
> If i was supposed to of emailed you the program and you didn't recieve it
> please email me again. put sub7 in the subject and make it caps.
> Tis i only
> got 400 emails a day. Thanks...
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
>
>
> ------------------------------------------------------------------
> ----------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com


_____________________________________________________________________
                      INTERNET MAIL FOOTER 
A presente mensagem pode conter informação considerada confidencial.
Se o receptor desta mensagem não for o destinatário indicado, fica
expressamente proibido de copiar ou endereçar a mensagem a terceiros.
Em tal situação, o receptor deverá destruir a presente mensagem e por
gentileza informar o emissor de tal facto.
---------------------------------------------------------------------
Privileged or confidential information may be contained in this
message. If you are not the addressee indicated in this message, you
may not copy or deliver this message to anyone. In such case, you
should destroy this message and kindly notify the sender by reply
email.
---------------------------------------------------------------------


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com