Security Incidents mailing list archives

RE: Exploit on tcp/4128?

From: "Lawrence Baldwin" <baldwinL () mynetwatchman com>
Date: Mon, 14 Feb 2005 17:34:34 -0500

Jim,

This host is not on my network...*I* issued the netcat to manually
interrogate the IP (outside my network) that was detected by the mNW system
as blowing out boatloads of tcp/4128...based on the target IP showing in the
mNW incident,it has scanned a couple of Class As already.


Lawrence.

-----Original Message-----
From: Butterworth, Jim [mailto:jim.butterworth () guidancesoftware com]
Sent: Monday, February 14, 2005 17:23
To: baldwinL () mynetwatchman com; incidents () securityfocus com;
bugtraq () securityfocus com
Subject: RE: Exploit on tcp/4128?

Looks like a probe from Netcat, passing the IP required by the -n
switch, and -v, echo back as  much information as you can about
the connection attempt)  The question would be, what on your
network, that you know of, is responsive to that port? Are any of
the probed machines running processes you don't recognize?  Most
likely looking for a backdoor that is assumed there by the
command switch invoked.  This response looks like a neg response.

r/Jim Butterworth

-----Original Message-----
From: Lawrence Baldwin [mailto:baldwinL () mynetwatchman com]
Sent: Monday, February 14, 2005 2:00 PM
To: incidents () securityfocus com; bugtraq () securityfocus com
Subject: Exploit on tcp/4128?

Anyone know what this is:

D:\nc>nc -n -v 64.132.205.69 4128
(UNKNOWN) [64.132.205.69] 4128 (?) open

'ÖP?    ?      Version?   1.3?   Error?   ?   ?   Msg?   Invalid Packet
'ÖP?    ?      Version?   1.3?   Error?   ?   ?   Msg?   Invalid Packet
'ÖP?    ?      Version?   1.3?   Error?   ?   ?   Msg?   Invalid Packet
'ÖP?    ?      Version?   1.3?   Error?   ?   ?   Msg?   Invalid Packet

'ÖP?    ?      Version?   1.3?   Error?   ?   ?   Msg?   Invalid Packet
'ÖP?
   ?      Version?   1.3?   Error?   ?   ?   Msg?   Invalid Packet    ^C

The same host above is scanning the *world* for this port:

http://www.mynetwatchman.com/LID.asp?IID=146159119

Regards,

Lawrence Baldwin
myNetWatchman.com

Note: The information contained in this message may be privileged and
confidential and thus protected from disclosure. If the reader of this
message is not the intended recipient, or an employee or agent
responsible
for delivering this message to the intended recipient, you are hereby
notified that any dissemination, distribution or copying of this
communication is strictly prohibited.  If you have received this
communication in error, please notify us immediately by replying to the
message and deleting it from your computer.  Thank you.

Current thread:

Exploit on tcp/4128? Lawrence Baldwin (Feb 14)
- RE: Exploit on tcp/4128? David Gillett (Feb 14)
  - RE: Exploit on tcp/4128? Jeff Mickey (Feb 14)
  - Re: Exploit on tcp/4128? Doug Rutherford (Feb 15)
- Re: Exploit on tcp/4128? James Eaton-Lee (Feb 14)
- <Possible follow-ups>
- RE: Exploit on tcp/4128? Butterworth, Jim (Feb 14)
  - RE: Exploit on tcp/4128? Lawrence Baldwin (Feb 14)
- Re: Exploit on tcp/4128? H Carvey (Feb 15)
- RE: Exploit on tcp/4128? Mueller, Lance (Feb 15)