Educause Security Discussion mailing list archives

Re: Port 65531 Remote Command Prompt

From: "Cam Beasley, ISO" <cam () AUSTIN UTEXAS EDU>
Date: Tue, 31 Aug 2004 22:24:08 -0500

David --

This might be a side-effect of a Gaobot|Rbot|SDbot varietal compromise.
IDS sigs targeting both specific IRC activity and LSASS scans 
can be useful in identifying problem hosts.

I've seen similar rogueFTPs listening on various non-standard ports.

best of luck,

~cam

Cam Beasley CISSP CIFI
Sr. InfoSec Analyst
Information Security Office
The University of Texas at Austin
cam () austin utexas edu
---------------------------
Report Abuse To:
- abuse () utexas edu
- 512.475.9242
---------------------------


-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv on behalf of David Taylor
Sent: Tue 8/31/2004 14:42
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Port 65531 Remote Command Prompt
 
Hi All,

We have been seeing some of the systems on our campus listening on port
65531 which returns a Windows Command Prompt banner:

Grabbing the banner from the port below returns:
TCP ports: 65531


TCP 65531:
[Microsoft Windows 2000 [Version 5.00.2195] (C) Copyright 1985-2000
Microsoft Corp. C:\WINNT\system
32> C:\WINNT\system32> C:\WINNT\system32>]

Has anyone else been finding this on their networks?

======================================================
David Taylor    // Sr. Information Security Specialist
Information Systems & Computing //Information Security
University of Pennsylvania      // Philadelphia PA USA
LTR () ISC UPENN EDU                       (215) 898-1236
http://www.upenn.edu/computing/security
======================================================

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.




**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

Port 65531 Remote Command Prompt David Taylor (Aug 31)
- <Possible follow-ups>
- Re: Port 65531 Remote Command Prompt Cam Beasley, ISO (Aug 31)
- Re: Port 65531 Remote Command Prompt Michael Mills (Aug 31)