Security Basics mailing list archives
RE: Strange Connection Attempts
From: "Trevor Cushen" <Trevor.Cushen () sysnet ie>
Date: Wed, 19 Feb 2003 17:56:56 -0000
From the ports database at www.snort.org:
Port 17300 / tcp Keyword Kuang2TheVirus Description [trojan] Kuang2 The Virus http://www.dark-e.com/archive/trojans/kuang/tv/index.shtml http://vil.mcafee.com/dispVirus.asp?virus_k=10213&; http://www.sans.org/search.php?config=sansphp&words=17300 Trevor Cushen Sysnet Ltd www.sysnet.ie Tel: +353 1 2983000 Fax: +353 1 2960499 -----Original Message----- From: Charles Hamby [mailto:fixer () gci net] Sent: 19 February 2003 03:50 To: security-basics () securityfocus com Subject: Re: Strange Connection Attempts I've been seeing 17300 scans from many places outside of Asia, actually. I just had one today that I traced back to somewhere around LA, so they definitely are getting to other time zones, I've been seeing scans from Comcast, AT&T, and a couple of others. But, as you say, in all of the packets I've captured, none of them have any payload. It's a little odd. -CDH -----Original Message----- From: Kinsey, Robert [mailto:Robert.Kinsey () Veridian com] Sent: Monday, February 17, 2003 2:39 PM Cc: 'security-basics () securityfocus com ' Subject: RE: Strange Connection Attempts I also saw the 17300 (which is the port Kuang 2 the virus runs on). But they were all coming from Asia (about 0800 their time) and never progressed. I was thinking it was a launch attempt on the 14th but no other TZs showed up. My feeling is if these are all 0-byte length probes they aren't doing much. Just ensure these ports / services are set to drop the connections fitting the description. rk ************************************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this message in error please notify SYSNET Ltd., at telephone no: +353-1-2983000 or postmaster () sysnet ie **************************************************************************************
Current thread:
- Strange Connection Attempts Hankes, Christopher A (Feb 14)
- <Possible follow-ups>
- RE: Strange Connection Attempts Keith T. Morgan (Feb 17)
- RE: Strange Connection Attempts Tim Heagarty (Feb 17)
- RE: Strange Connection Attempts Kinsey, Robert (Feb 18)
- RE: Strange Connection Attempts fixer (Feb 18)
- Re: Strange Connection Attempts Charles Hamby (Feb 19)
- RE: Strange Connection Attempts Trevor Cushen (Feb 20)
- Windows 2000 Server Attacks Paul Stewart (Feb 20)
- Re: Windows 2000 Server Attacks Su Wadlow (Feb 22)
- Windows 2000 Server Attacks Paul Stewart (Feb 20)