Security Incidents mailing list archives
RE: TCP port 5000 syn increasing
From: Meidinger Chris <chris.meidinger () badenit de>
Date: Fri, 21 May 2004 13:27:22 +0200
When I read the original post, I actually thought the poster meant a back-tunnel to the master agent, so that zombies in a closed network could communicate with their handlers, and I thought it was a pretty sneaky idea. if the person means tunnel into a network, well that's completely silly. but a bot that 'quietly' - meaning somehow less than randomly - infects boxes in corporate networks, and then goes out over port 80 with legitimate looking http traffic would be pretty evil. more likely, however, to be of use to advanced blackhats that to sKiddie's and their ilk.
-----Original Message----- From: Harlan Carvey [mailto:keydet89 () yahoo com] Sent: Wednesday, May 19, 2004 4:21 PM To: incidents () securityfocus com Subject: Re: TCP port 5000 syn increasing Andreas,I'm waiting for the first worm that tunnels overHTTP port 80, as a numberof protocols already do, to get around firewallsthat only pass 25 and 80. ;) It would have to be "de-tunneled" on the inside to do something useful. Either the network is already compromised, or it exploits something on that specific service.Excellent point! It's about time something more lucid passed through this list. To be honest, there's way too much hand-waving and too much of a smoke-and-mirrors approach to infosec. It's so easy to say "worm that tunnels into the network over port 80" and get the media (and following the domino effect, the general public) all hyped and spinning out of control. But you're right...it has to be "de-tunnelled" to something, unless it's an exploit against the web server itself - at which point it isn't tunnelling, then, is it? And you know, even this kind of thing is relatively easy to protect against. If you're going to configure your router or firewall in a default deny status, and then allow only specific traffic, why not then just restrict that traffic to specific hosts or ranges? Why allow port 25 into your entire infrastructure, when you've got only one email server? Why not just allow port 25 to the specific host, or to ranges depending upon the size of your infrastructure? -------------------------------------------------------------- ------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_incidents_040517 -------------------------------------------------------------- --------------
--------------------------------------------------------------------------- Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN, wireless security Protect your network against hackers, viruses, spam and other risks with Astaro Security Linux, the comprehensive security solution that combines six applications in one software solution for ease of use and lower total cost of ownership. Download your free trial at http://www.securityfocus.com/sponsor/Astaro_incidents_040517 ----------------------------------------------------------------------------
Current thread:
- Re: TCP port 5000 syn increasing, (continued)
- Re: TCP port 5000 syn increasing Harlan Carvey (May 19)
- Re: TCP port 5000 syn increasing Valdis . Kletnieks (May 19)
- Re: TCP port 5000 syn increasing Harlan Carvey (May 19)
- RE: TCP port 5000 syn increasing Nick FitzGerald (May 19)
- RE: TCP port 5000 syn increasing Nick FitzGerald (May 19)
- RE: TCP port 5000 syn increasing Paul Schmehl (May 19)
- RE: TCP port 5000 syn increasing Steven Trewick (May 18)
- RE: [Securityfocus-incidents] RE: TCP port 5000 syn increasing Remko Lodder (May 18)
- RE: TCP port 5000 syn increasing Steven Trewick (May 19)
- Re: TCP port 5000 syn increasing Bob (May 20)
- RE: TCP port 5000 syn increasing Meidinger Chris (May 21)
- Re: TCP port 5000 syn increasing Valdis . Kletnieks (May 21)
- Re: TCP port 5000 syn increasing Bob (May 25)