Educause Security Discussion mailing list archives
Re: Port 65531 Remote Command Prompt
From: "Cam Beasley, ISO" <cam () AUSTIN UTEXAS EDU>
Date: Tue, 31 Aug 2004 22:24:08 -0500
David -- This might be a side-effect of a Gaobot|Rbot|SDbot varietal compromise. IDS sigs targeting both specific IRC activity and LSASS scans can be useful in identifying problem hosts. I've seen similar rogueFTPs listening on various non-standard ports. best of luck, ~cam Cam Beasley CISSP CIFI Sr. InfoSec Analyst Information Security Office The University of Texas at Austin cam () austin utexas edu --------------------------- Report Abuse To: - abuse () utexas edu - 512.475.9242 --------------------------- -----Original Message----- From: The EDUCAUSE Security Discussion Group Listserv on behalf of David Taylor Sent: Tue 8/31/2004 14:42 To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Port 65531 Remote Command Prompt Hi All, We have been seeing some of the systems on our campus listening on port 65531 which returns a Windows Command Prompt banner: Grabbing the banner from the port below returns: TCP ports: 65531 TCP 65531: [Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000 Microsoft Corp. C:\WINNT\system 32> C:\WINNT\system32> C:\WINNT\system32>] Has anyone else been finding this on their networks? ====================================================== David Taylor // Sr. Information Security Specialist Information Systems & Computing //Information Security University of Pennsylvania // Philadelphia PA USA LTR () ISC UPENN EDU (215) 898-1236 http://www.upenn.edu/computing/security ====================================================== ______________________________________________________________________ This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email ______________________________________________________________________ ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Port 65531 Remote Command Prompt David Taylor (Aug 31)
- <Possible follow-ups>
- Re: Port 65531 Remote Command Prompt Cam Beasley, ISO (Aug 31)
- Re: Port 65531 Remote Command Prompt Michael Mills (Aug 31)