Nmap Development mailing list archives

Re: Ports 27374 and 37907 not yet in nmap-services


From: "grendel warrior" <grendelwarrior () hotmail com>
Date: Sat, 03 Mar 2001 13:39:53 -0000


Hi,

As you said SubSeven is a well known Trojan and it is used a lot on irc.
I also know an Optivity Network Configuration System suite of utilities
used by Nortel Networks.
You might check it out on http://www.nortelnetworks.com as the suite is kinda big.
cya


From: Marek Michalkiewicz <marekm () amelek gda pl>
To: nmap-dev () insecure org
CC: marekm () linux org pl
Subject: Ports 27374 and 37907 not yet in nmap-services
Date: Fri, 2 Mar 2001 20:18:59 +0100 (CET)

Hi,

I have seen these two port numbers probed in real life, and not yet
listed in nmap-services, or even in the huge list mentioned in that
file (http://www.graffiti.com/services).  Please consider adding them
to the distributed nmap-services file, perhaps it helps someone...

I've tried to find some info on these ports using a search engine, and
here is what I found... (not much - most of what is found is a dozen
of different web archives of the same two mailing lists)

Port 27374/tcp (listed as "asp" - Address Search Protocol in the default
/etc/services file that comes with Debian) appears to be used by some
kind of Windows trojan (tried to connect to the box that probed me,
something was listening there...) named SubSeven.

Port 37907/tcp (not listed anywhere I can tell) appears to be used
by something called Optivity (whatever that is - no idea...) probably
running on Win9x, which also probes ports 80/tcp and 161/udp (snmp).
I see probes on these ports mainly in a large LAN that is not reachable
from the Internet, and I know who is doing it...  That person (who
happens to be the admin of that LAN) admits it (it's not IP spoofing),
but doesn't want to tell me anything more - says it's top secret :).

These probes are harmless, but still it would be nice to know more...
If someone here has more information, links to more info about the
above mentioned programs, especially the one using port 37907 -
please let me know.

Thanks, and keep up the good work!
Marek


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).



_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).



Current thread: