RE: TCP port 5000 syn increasing

[Meidinger Chris <chris.meidinger () badenit de>]

When I read the original post, I actually thought the poster meant a
back-tunnel to the master agent, so that zombies in a closed network could
communicate with their handlers, and I thought it was a pretty sneaky idea. 

if the person means tunnel into a network, well that's completely silly. 

but a bot that 'quietly' - meaning somehow less than randomly - infects
boxes in corporate networks, and then goes out over port 80 with legitimate
looking http traffic would be pretty evil. more likely, however, to be of
use to advanced blackhats that to sKiddie's and their ilk.

> -----Original Message-----
> From: Harlan Carvey [mailto:keydet89 () yahoo com]
> Sent: Wednesday, May 19, 2004 4:21 PM
> To: incidents () securityfocus com
> Subject: Re: TCP port 5000 syn increasing
>
> Andreas,
>
> > > I'm waiting for the first worm that tunnels over
> > HTTP port 80, as a number
> > > of protocols already do, to get around firewalls
> > that only pass 25 and 80. ;)
> >
> > It would have to be "de-tunneled" on the inside to do something 
> > useful. Either the network is already compromised, or it exploits 
> > something on that specific service.
>
> Excellent point!  It's about time something more lucid passed through 
> this list.  To be honest, there's way too much hand-waving and too 
> much of a smoke-and-mirrors approach to infosec.  It's so easy to say 
> "worm that tunnels into the network over port 80" and get the media 
> (and following the domino effect, the general public) all hyped and 
> spinning out of control.  But you're right...it has to be 
> "de-tunnelled"
> to something, unless it's an exploit against the web server itself - 
> at which point it isn't tunnelling, then, is it?
>
> And you know, even this kind of thing is relatively easy to protect 
> against.  If you're going to configure your router or firewall in a 
> default deny status, and then allow only specific traffic, why not 
> then just restrict that traffic to specific hosts or ranges?
> Why allow port 25 into your entire infrastructure, when you've got 
> only one email server?  Why not just allow port 25 to the specific 
> host, or to ranges depending upon the size of your infrastructure?
>
>
>
> --------------------------------------------------------------
> -------------
> Free 30-day trial: firewall with virus/spam protection, URL filtering, 
> VPN, wireless security
>
> Protect your network against hackers, viruses, spam and other risks 
> with Astaro Security Linux, the comprehensive security solution that 
> combines six applications in one software solution for ease of use and 
> lower total cost of ownership.
>
> Download your free trial at
> http://www.securityfocus.com/sponsor/Astaro_incidents_040517
> --------------------------------------------------------------
> --------------

---------------------------------------------------------------------------
Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
wireless security

Protect your network against hackers, viruses, spam and other risks with Astaro
Security Linux, the comprehensive security solution that combines six
applications in one software solution for ease of use and lower total cost of
ownership.

Download your free trial at
http://www.securityfocus.com/sponsor/Astaro_incidents_040517
----------------------------------------------------------------------------