Firewall Wizards mailing list archives
"Some of you have been asking for this, so here it is."
From: "Philip S Holt, Security Engineer / Network Engineer" <philipsholt () uswest net>
Date: Sat, 22 May 1999 21:33:00 -0700
First, before you all get lost in the vortex .
1) I was very apprehensive about sharing this - as it is long, it is very
detailed.
2) I was encouraged to do so however, and I thank those individuals for
supporting me - whether I take heat or not for doing so, I firmly believe *this
is the right thing to do*.
3) This report, is but one way of getting results with the *big-guns* as I call
them.
4) Remember, last week I responded to a thread stating that I have picked up 15
scans in ~ 3 & 1/2 weeks now, and I also further qualified that in stating that I
have gone after four of these probes, and have actually gotten *somewhere @ the
personal level* with certain engineers @ the NOC level. Herein, lies one of those
sucesses.
5) Others from this list, and other list groups as well have asked me to briefly
sketch out my methods (at least those used to get personal responses and whatnot)
and the techniques I used when dealing with engineers @ the Large ISP's - so feel
free to contact me. I will put something together, have two individuals review
it, then post accordingly.
6) There is a tremendous amount of info in here, fact is, this path will get
results, and it has served me well since I put it together through *trial &
error* and experience. I have also had the help and encouragement fom two of you,
and I thank - you greatly. You know who you are, so take pleasure in knowing that
your teaching is beginning to sink in.
6) As an aftermath - I am doing the following: 1) Writing personal responses and
thank - you letters to the six engineers I spoke with (yep - on the phone and
quite humorous to boot!) and helped me along. They are all from large
organizations - as you are about to find out. This clearly proves that, no matter
how small an incident (after all - this is only a probe, RIGHT??), everything we
do, everything I do, will help those that follow. 2) I am working on refining
this process, and finding areas where it can be improved upon. Those of you (And
I have a good idea who will gladly respond to this open invite) who would like to
make relevant suggestions - then please, feel free to do so.
I am essentially new to IT Security (Only 16 & 1/2 months now) so I have lots
to learn ...
Humbeled as I sit ...
Philip S Holt / MCP
Anatomy Of RAS / Dial-Up Account Probe
by: Philip S Holt / MCP
Student Of Two: LJH, Jr., & DB
Mentoree to Many; Primary Mentor: Paul D. Robertson
INCIDENT SPECIFICS:
1) Saturday May 8th
2) 17:04:34 - 17:15:28 (Duration Of Probe)
3) IP Source As Reported By MJR's Back Officer Friendly: 168.191.22.14
{{IP Block = US Sprint}}
4) Reporting Location: Seattle, WA (Destination Logs)
5) NT Server v4.0 Dial-Up Machine
6) ISP US West Dial-Up Account (Seattle / Tacoma Areas Served)
I. General Sequence Of Events
II. Phone Calls & Collaborative Conversations
III. Electronic Messages and Collaborative Information Exchange
IV. Follow-Up
V. Continuation Of Efforts
VI. After-Thouhgts & "Lessons Learned"
VII. Back Orrifice / NetBus Specifics & Anomalies
I. General Sequence Of Events -
Logged on to primary pop server (sttl1.pop.xxx.xxx) - downloading a
whitepaper concerning NT as a Bastion Host candidate. Following, is what
popped up on the screen: (BOF with audible alert) BOF courtesy of Marcus J. Ranum
& His Team "Thank - you!"
Sat May 08 17:04:34 BO PING sweep attempted by 168.191.229.14
Sat May 08 17:15:02 Back Orifice saw 19 bytes of garbage from
168.191.229.14
Sat May 08 17:15:19 BO PING sweep attempted by 168.191.229.14
Sat May 08 17:15:22 BO TYPE_REDIRADD attempted by 168.191.229.14
Sat May 08 17:15:24 BO TYPE_REDIRADD attempted by 168.191.229.14
Sat May 08 17:15:26 BO TYPE_REDIRADD attempted by 168.191.229.14
Sat May 08 17:15:28 BO TYPE_REDIRADD attempted by 168.191.229.14
I called my ISP, there general TS (Tier 2 I believe) line for help.
Ten minutes in passing, I am forwarded to the on-call engineers @ the NOC.
(Tier 1 from this point on)
While on the phone with this engineer, he does the following, of which, are
also as follows:
1) Keith Moreno (kmoreno () uswest net) does a reverse querry.
2) Kmoreno does a dig querry as well.
3) Kmoreno does a traceroute (as to confirm and backup my efforts).
4) As per my request, he also saves these screen captures, and emails them
right then & there (We are on the phone while this takes place).
From all that Kmoreno provided (And, please take note - because
this is very immportant IMHO - this is an engineer from US West that was:
Happy to help, glad that I reported this activity, and very cordial. He was
also very funny and a delight to work with ....) me, I was then able to
contact Sprint's DNS group. They (DNS engineers on-call that I reached back
on the East Coast) forwarded me to the appropriate folks that handle abuse.
From this point, I was sent an automated (e-bot) response thanking me for my
effforts - and included in this response were four areas that outline and
direct where abuse (spam) and mailicious activities are to be reported and
guidelines outlining what they needed to carry out an investigation.
So, I complied.
I made my-self available to help in any way, and thanked them for
there work and there efforts.
Below, the efforts and results from Kmoreno and correspondence that
took place Saturday 08 May 1999 ~ 6:30pm Seattle, WA PDST / (GMT):
Return-Path: <kmoreno () uswest net>
Delivered-To: philipsholt () sttlpop1 sttl uswest net
Received: (qmail 2570 invoked by uid 0); 9 May 1999 01:32:34 -0000
Received: from mail.uswest.net (HELO mail1.uswest.net) (204.147.80.17)
by mail.sttl.uswest.net with SMTP; 9 May 1999 01:32:34 -0000
Received: (qmail 28026 invoked by alias); 9 May 1999 01:32:33 -0000
Delivered-To: philipsholt () uswest net
Received: (qmail 28001 invoked from network); 9 May 1999 01:32:33 -0000
Received: from tahiti.oss.uswest.net (204.147.85.151)
by mail1.uswest.net with SMTP; 9 May 1999 01:32:33 -0000
Received: from uswest.net (kmoreno.oss.uswest.net [204.147.85.87])
by tahiti.oss.uswest.net (8.9.2/8.9.2) with ESMTP id UAA72594
for <philipsholt () uswest net>; Sat, 8 May 1999 20:32:30 -0500 (CDT)
(envelope-from kmoreno () uswest net)
Message-ID: <3734E525.6DB5BE1F () uswest net>
Date: Sat, 08 May 1999 20:30:13 -0500
From: kmoreno <kmoreno () uswest net>
X-Mailer: Mozilla 4.5 [en] (WinNT; U)
X-Accept-Language: en
MIME-Version: 1.0
To: philipsholt () uswest net
Subject: (no subject)
Content-Type: multipart/alternative;
boundary="------------591860B2AFF920C3B4B0C216"
Status: U
X-UIDL: 926213555.2582.sttlpop1.sttl.uswest.net
X-Mozilla-Status: 8003
Sprint Corporation (NETBLK-SPLK-DIAL)
1050 Connecticut Ave.
Washington DC 20036
Netname: SPLK-DIAL
Netblock: 168.191.0.0 - 168.193.0.0
Maintainer: SPRN
Coordinator:
Sprint DNS Administrator (SDA4-ORG-ARIN) dns-admin () SPRINT NET
(800)232-6895
Fax- (703)478-5471
Domain System inverse mapping provided by:
NS1.DIALSPRINT.NET 206.134.151.45
NS2.DIALSPRINT.NET 206.134.79.44
NS3.DIALSPRINT.NET 205.149.192.145
Record last updated on 30-Sep-97.
Database last updated on 7-May-99 16:14:21 EDT.
Sprint Corporation (NETBLK-SPLK-DIAL)
1050 Connecticut Ave.
Washington DC 20036
Netname: SPLK-DIAL
Netblock: 168.191.0.0 - 168.193.0.0
Maintainer: SPRN
Coordinator:
Sprint DNS Administrator (SDA4-ORG-ARIN) dns-admin () SPRINT NET
(800)232-6895
Fax- (703)478-5471
Domain System inverse mapping provided by:
NS1.DIALSPRINT.NET 206.134.151.45
NS2.DIALSPRINT.NET 206.134.79.44
NS3.DIALSPRINT.NET 205.149.192.145
Record last updated on 30-Sep-97.
Database last updated on 7-May-99 16:14:21 EDT.
tahiti: {1} traceroute 168.191.229.14
traceroute to 168.191.229.14 (168.191.229.14), 30 hops max, 40 byte packets
1 mpls-oss-igw (204.147.85.158) 0.543 ms 0.631 ms 0.502 ms
2 mpls-oss-fw (192.168.1.190) 1.344 ms * 1.279 ms
3 204.147.84.217 (204.147.84.217) 1.833 ms 1.607 ms 1.693 ms
4 mpls-gw1 (207.225.159.250) 3.102 ms 2.198 ms 1.962 ms
5 sl-gw17-chi-6-0-1.sprintlink.net (144.228.207.29) 20.154 ms 19.905 ms
19.855 ms
6 sl-bb11-chi-3-2.sprintlink.net (144.232.0.209) 19.512 ms 19.927 ms
19.428 ms
7 sl-bb4-chi-4-0-0.sprintlink.net (144.232.0.166) 20.487 ms 20.133 ms
20.013 ms
8 sdn-pnc2-chi-12-0.dialsprint.net (207.143.96.162) 20.263 ms 21.291 ms
20.480 ms
9 * * *
^C
tahiti: {2}
tahiti: {2}
Now, Sprint is in the picture, and there primary NOC Security
engineer sends me some info, in this case, Britt W. Mowery. He informs me
that EarthLink is now in the picture - and forwards everything I have done
thus far, and advises me what to do next. I comply. EarthLink is now
involved, and shortly thereafter I am contacted twice though email thanking
me for my efforts. Included in the first acknowledgement from EarthLink was
their AUP - which clearly indicated their stance towards cracker activity and
their approach to how they treat said individuals and thier actions.
I was given a case number - and encouraged to contact them should I
need to do so.
Correspondence between Britt Mowery & myself is as follows: {Two emails}
Return-Path: <bmowery () sprint net>
Delivered-To: philipsholt () sttlpop1 sttl uswest net
Received: (qmail 3255 invoked by uid 0); 11 May 1999 04:20:37 -0000
Received: from mail3.uswest.net (204.147.80.19)
by mail.sttl.uswest.net with SMTP; 11 May 1999 04:20:37 -0000
Received: (qmail 10561 invoked by alias); 11 May 1999 04:20:31 -0000
Delivered-To: philipsholt () uswest net
Received: (qmail 10516 invoked by uid 0); 11 May 1999 04:20:30 -0000
Received: from gate1.sprintlink.net (199.0.233.2)
by mail3.uswest.net with SMTP; 11 May 1999 04:20:30 -0000
Received: from athens.res.sprintlink.net by gate1.sprintlink.net
via smtpd (for mail3.uswest.net [204.147.80.19]) with SMTP; 11 May 1999
04:20:30 UT
Received: from isoc90.res.sprintlink.net (isoc90 [199.0.235.90])
by athens.res.sprintlink.net (8.9.1/8.9.1) with ESMTP id AAA20008;
Tue, 11 May 1999 00:20:29 -0400 (EDT)
Received: from localhost (bmowery@localhost)
by isoc90.res.sprintlink.net (8.8.8+Sun/8.8.8) with SMTP id AAA06474;
Tue, 11 May 1999 00:20:32 -0400 (EDT)
X-Authentication-Warning: isoc90.res.sprintlink.net: bmowery owned process doing
-bs
Date: Tue, 11 May 1999 00:20:32 -0400 (EDT)
From: Britt W Mowery <bmowery () sprint net>
X-Sender: bmowery@isoc90
To: abuse () earthlink net
CC: philipsholt () uswest net
Subject: [Fwd: Back Orifice Probe / Attemtps] (fwd)
Message-ID: <Pine.GSO.3.93.990511002016.6397F-110000@isoc90>
MIME-Version: 1.0
Content-Type: MULTIPART/MIXED; BOUNDARY=------------00A97DB1D4CB52B9E43A58D1
Content-ID: <Pine.GSO.3.96.990510114817.25562I@iscone>
Status: U
X-UIDL: 926396443.3552.sttlpop1.sttl.uswest.net
X-Mozilla-Status: 8003
----------------
Britt W. Mowery
Sr. IP Security Analyst
Sprint Corporate Security
bmowery () sprint net
1-800-572-8256
fax: (703) 478-5468
pager: 1-800-724-3329 pin 398-9691
---------- Forwarded message ----------
Date: Mon, 10 May 1999 11:48:20 -0400 (EDT)
From: Sprintlink Abuse Desk <abuse () sprint net>
To: security () sprint net
Subject: [Fwd: Back Orifice Probe / Attemtps] (fwd)
---------- Forwarded message ----------
Date: Sat, 08 May 1999 19:07:18 -0700
From: "Philip S Holt, Security Engineer / Network Engineer"
<philipsholt () uswest net>
To: abuse () sprint net
Subject: [Fwd: Back Orifice Probe / Attemtps]
80% of the time BO goes to port 31337 & port 53 (UDP) ...
15 - 20 % of the time it goes to other ports ...
Good luck.
Let me know if you need anything else.
Philip.
------------------------------------------------------------
Message-ID: <3734EA4A.9DF7081F () uswest net>
Date: Sat, 08 May 1999 18:52:11 -0700
From: "Philip S Holt, Security Engineer / Network Engineer"
<philipsholt () uswest net>
Organization: Jerrapin Technology
X-Mailer: Mozilla 4.04 [en] (WinNT; U)
MIME-Version: 1.0
To: dns-admin () SPRINT NET
Subject: Back Orifice Probe / Attemtps
Content-Type: multipart/alternative;
boundary="------------7648BF0F2814D02A15B08E4D"
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Well - here you go.
Please pass on to security group.
My complete report will follow soon - please let me know the exact
address I should send it to.
Have fun. (-: (-:
Philip.
Email add ^^
Phone (Links to cell if on-line) 206 285 4533
Sat May 08 17:04:34 BO PING sweep attempted by 168.191.229.14
Sat May 08 17:15:02 Back Orifice saw 19 bytes of garbage from
168.191.229.14
Sat May 08 17:15:19 BO PING sweep attempted by 168.191.229.14
Sat May 08 17:15:22 BO TYPE_REDIRADD attempted by 168.191.229.14
Sat May 08 17:15:24 BO TYPE_REDIRADD attempted by 168.191.229.14
Sat May 08 17:15:26 BO TYPE_REDIRADD attempted by 168.191.229.14
Sat May 08 17:15:28 BO TYPE_REDIRADD attempted by 168.191.229.14
And, of course, from US West ...
Subject: (no subject)
Date: Sat, 08 May 1999 20:30:13 -0500
From: kmoreno <kmoreno () uswest net>
To: philipsholt () uswest net
Sprint Corporation (NETBLK-SPLK-DIAL)
1050 Connecticut Ave.
Washington DC 20036
Netname: SPLK-DIAL
Netblock: 168.191.0.0 - 168.193.0.0
Maintainer: SPRN
Coordinator:
Sprint DNS Administrator (SDA4-ORG-ARIN) dns-admin () SPRINT NET
(800)232-6895
Fax- (703)478-5471
Domain System inverse mapping provided by:
NS1.DIALSPRINT.NET 206.134.151.45
NS2.DIALSPRINT.NET 206.134.79.44
NS3.DIALSPRINT.NET 205.149.192.145
Record last updated on 30-Sep-97.
Database last updated on 7-May-99 16:14:21 EDT.
Sprint Corporation (NETBLK-SPLK-DIAL)
1050 Connecticut Ave.
Washington DC 20036
Netname: SPLK-DIAL
Netblock: 168.191.0.0 - 168.193.0.0
Maintainer: SPRN
Coordinator:
Sprint DNS Administrator (SDA4-ORG-ARIN) dns-admin () SPRINT NET
(800)232-6895
Fax- (703)478-5471
Domain System inverse mapping provided by:
NS1.DIALSPRINT.NET 206.134.151.45
NS2.DIALSPRINT.NET 206.134.79.44
NS3.DIALSPRINT.NET 205.149.192.145
Record last updated on 30-Sep-97.
Database last updated on 7-May-99 16:14:21 EDT.
tahiti: {1} traceroute 168.191.229.14
traceroute to 168.191.229.14 (168.191.229.14), 30 hops max, 40 byte
packets
1 mpls-oss-igw (204.147.85.158) 0.543 ms 0.631 ms 0.502 ms 2 mpls-oss-fw (192.168.1.190) 1.344 ms * 1.279 ms 3 204.147.84.217 (204.147.84.217) 1.833 ms 1.607 ms 1.693 ms 4 mpls-gw1 (207.225.159.250) 3.102 ms 2.198 ms 1.962 ms 5 sl-gw17-chi-6-0-1.sprintlink.net (144.228.207.29) 20.154 ms 19.905
ms 19.855 ms
6 sl-bb11-chi-3-2.sprintlink.net (144.232.0.209) 19.512 ms 19.927 ms
19.428 ms
7 sl-bb4-chi-4-0-0.sprintlink.net (144.232.0.166) 20.487 ms 20.133 ms
20.013 ms
8 sdn-pnc2-chi-12-0.dialsprint.net (207.143.96.162) 20.263 ms 21.291
ms 20.480 ms
9 * * *
^C
tahiti: {2}
tahiti: {2}
-----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.5.5 for non-commercial use <http://www.nai.com> iQA/AwUBNzTpyRialBIhIMlEEQJ+SwCfWbBuPat5j17iFmCG6tkr/7KCyekAoIED UdaS3aD61ScE83U9+Up5Rskl =rNA5 -----END PGP SIGNATURE----- AND ... ... ((2nd P. Holt / B. Mowery correspondence)) Return-Path: <bmowery () sprint net> Delivered-To: philipsholt () sttlpop1 sttl uswest net Received: (qmail 6617 invoked by uid 0); 11 May 1999 07:14:58 -0000 Received: from mail4.uswest.net (204.147.80.22) by mail.sttl.uswest.net with SMTP; 11 May 1999 07:14:58 -0000 Received: (qmail 9529 invoked by alias); 11 May 1999 07:14:57 -0000 Delivered-To: philipsholt () uswest net Received: (qmail 9516 invoked by uid 0); 11 May 1999 07:14:56 -0000 Received: from gate1.sprintlink.net (199.0.233.2) by mail4.uswest.net with SMTP; 11 May 1999 07:14:56 -0000 Received: from athens.res.sprintlink.net by gate1.sprintlink.net via smtpd (for mail4.uswest.net [204.147.80.22]) with SMTP; 11 May 1999 07:14:57 UT Received: from isoc90.res.sprintlink.net (isoc90 [199.0.235.90]) by athens.res.sprintlink.net (8.9.1/8.9.1) with ESMTP id DAA13425 for <philipsholt () uswest net>; Tue, 11 May 1999 03:14:57 -0400 (EDT) Received: from localhost (bmowery@localhost) by isoc90.res.sprintlink.net (8.8.8+Sun/8.8.8) with SMTP id DAA00665 for <philipsholt () uswest net>; Tue, 11 May 1999 03:15:02 -0400 (EDT) X-Authentication-Warning: isoc90.res.sprintlink.net: bmowery owned process doing -bs Date: Tue, 11 May 1999 03:15:01 -0400 (EDT) From: Britt W Mowery <bmowery () sprint net> X-Sender: bmowery@isoc90 To: "Philip S Holt, Security Engineer / Network Engineer" <philipsholt () uswest net> Subject: Re: [Fwd: Back Orifice Probe / Attemtps] (fwd) In-Reply-To: <3737D6B8.FF413F30 () uswest net> Message-ID: <Pine.GSO.3.93.990511031420.491D-100000@isoc90> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Status: U X-UIDL: 926406898.6637.sttlpop1.sttl.uswest.net X-Mozilla-Status: 8011 Please send it all to Earthlink. They will be investigating this issue. Thanks a lot. ---------------- Britt W. Mowery Sr. IP Security Analyst Sprint Corporate Security security () sprint net On Tue, 11 May 1999, Philip S Holt, Security Engineer / Network Engineer wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Britt W Mowery wrote: Hello there. Now - do you folks want the completed report? Or, should I just send it all to the folks @ Earthlink? Thanks for passing this on. "Hopefully, we'll be successful in our efforts. This nonsense will have to stop one of these decades ... ..." Philip. -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.5.5 for non-commercial use <http://www.nai.com> iQA/AwUBNzfWjRialBIhIMlEEQKqEgCeOjcQ8jLotxFswLwG2imgHL7oQ4cAoNQP qlEwBxQir7FECbizmVZaAOWX =I2UK -----END PGP SIGNATURE-----
II. Phone Calls & Collaborative Conversations -
Within six minutes of the captured BO Probe, I called the ISP - (1
800 number for TS help) Provider of RAS accounts. This was the first of five
people that helped me within two hours. I was forwarded to the shift
'manager'. He was very interested in many things - so we talked for 30
minutes and he was given a mini- Trojan (security) tutorial. He passed me
onto the NOC engineers (I held for 18 mins) and that's where I proceeded with
K Moreno. K Moreno sent the screen captures (^^) from above, chatted for a
bit, then sent me to the next 'appropriate level'. (Britt Mowery @ Sprint).
Britt then moved me along to EarthLink. I initally emailed Britt, then I was
called back shortly thereafter by Britt. I was instructed what to do next,
and did so accordingly.
III. Electronic Messages and Collaborative Information Exchange -
Initial email to K Moreno
Secondary email to K Moreno
I recieve one back that is two pages (See ^^).
I email the general Us Sprint DNS group, get a response (e-bot).
I phone their 1 800 number - on-call DNS engineer gives me the right abuse
email address. I email this addresse (This is the 4th email).
Britt Mowery Responds.
I email Britt (5th email).
I email EarthLink. Get their automated response.
I email the appropriate group. Get an acknowledgement.
I email them, thank them for their work. They email me, thank me for my
efforts. (7th email. In total, those outbound smtp blocks + those inbound
equalled more than 20 messages!)
This whole process takes place over nine days. Its important to note
this. Some emails have been ommited of course. IMHO, I have included the
important ones.
IV. Follow-Up -
This was the easy part (comparitively speaking). Since I now have (I
got these early and believe this served me well in the final analysis) a case
number (s), should I want anything else (info - whatever may interest me I
suppose) in the future, it will be easie(r) to get. In other words, I
displayed more than the average amount of time and resources that warrant
such efforts based on the incident itself - so I believe this was recognized
from the on-set and as a result all involved were more than happy to assist
me . A friend and colleague tutored me on how to 'effectively navigate' through
this
quagmyre - and that individual is Paul Robertson. He was right on how to
approach engineers when you need to get info, and without his insights, I
would have come up short.
V. Continuation Of Efforts -
Most of this is for my own use, as I took this whole opportunity as a
valuable tool to learn many things, of which, obviously, I did. A very wise
man, recently told me:
1) Everything you do makes my job easier.
2) Every machine you tighten down & secure makes my job easier and more
effective.
3) Everyone you help helps me in return.
The continuation of my efforts are my goals and reasons to someday be
effective and considered a good security engineer amongst my peers, and this
is but one rung of the ladder that I must climb and master. Besides, my
primary instructor is watching amd monitoring my progress - and he keeps me
in-line and moving in the right direction (LJH).
VI. After-Thoughts & "Lessons Learned."
What's left to say? As a result of this posting ("Did anyone else
pick this up?" and later email postings directly and in-directly related) to
the firewall-wizards majordomo list group, there have been ~ 120 relevant
emails and all sorts of great information that came as a result of this thread
and inital report, so, as far as I can surmise - nothing but good came as a
result. I learned way more than I ever bargained for, and that's more than OK
by me, because I am a novice as a security systems engineer and have lots to
learn. It is my belief my instructor((s)) (Teacher((s)) ) would concur (their
wording).
VII. Back Orrifice / NetBus Specifics & Anomalies -
Back Orrifice - UDP Packets to port 31337 for standard port listening,
though in many instances it can easily be configured to listen in on other
ports. Research and specifics from other firewall-wizard list members have
confirmed this. In my second report (Incident trailed back to Hertfordshire,
ST.Albans, GB - I not only found both NetBus and BO in the probe, but both
nmap & nlog were buried in the scan as well. In this case, yes, BO was
listening in on higher port numbers than the default of 31337). The 'ruse',
however,
displayed that the cracker was clever and > just a 'script kiddie'.
Net Bus - Connection requests (SYN) packets to TCP ports 12345, 12346, and
or 20034. As with BO, NetBus can also be disguised to listen in on other
lesser known ports - and list group statistics and shared infromation also
confirm this.
To the best of my abilites, this is my recounting and reporting of
the BO probe & scan that took place Saturday the 8th Of May 1999. Thank - you
to all involved,
Philip S Holt
Jerrapin Technology Network & Security Systems
200 Roy ST #404
Seattle, WA
98109
USA
philipsholt () uswest net
206 285 4533
Current thread:
- Help, some one's hacked into my home computer Denise Lucas (May 16)
- Re: Help, some one's hacked into my home computer Paul D. Robertson (May 17)
- "Some of you have been asking for this, so here it is." Philip S Holt, Security Engineer / Network Engineer (May 23)
- <Possible follow-ups>
- Re: Help, some one's hacked into my home computer Robert Graham (May 17)
- Re: Help, some one's hacked into my home computer Bill Pennington (May 17)
- RE: Help, some one's hacked into my home computer sean . kelly (May 17)
- Re: Help, some one's hacked into my home computer Andrew Fessler (May 17)
- Re: Help, some one's hacked into my home computer Philip Molloy (May 17)
- Re: Help, some one's hacked into my home computer Bill_Royds (May 17)
- Re: Help, some one's hacked into my home computer Paul D. Robertson (May 17)