Security Incidents mailing list archives
Re: Port 65535, again
From: vventura () SIA PT (vventura () SIA PT)
Date: Tue, 11 Apr 2000 09:23:35 -0000
Hi, there are at least two trojans that listen on that port, problably someone is probing for that trojans. Hi, we had this thread already in February but the answers to this problem were a bit vague. So another chance to clearify this: more than one month later, same (and an other one) source machine(s), same signature. Apr 3 10:01:09 X.Y kernel: Packet log: input REJECT eth1 PROTO=6 209.1.224.16:65535 134.130.X.Y:65535 L=52 S=0x00 I=5405 F=0x0093 T=237 (#106) Apr 5 15:43:24 X.Y kernel: Packet log: input REJECT eth1 PROTO=6 192.115.221.125:65535 134.130.X.Y:65535 L=28 S=0x00 I=18772 F=0x00B8 T=50 (#106) In contrast to the older case, these packets do not come very regular every 2 minutes, though sometimes there is an exactly 2-minute time-distance. The destination was exactly one machine (X.Y). Bye, Jens <FONT COLOR="#222255">> Feb 29 07:12:25 firepower kernel: Packet log: private1</FONT> <FONT COLOR="#222255">> DENY eth0 PROTO=6</FONT> <FONT COLOR="#222255">> 192.115.221.125:65535 207.245.232.127:65535 L=28 S=0x00</FONT> <FONT COLOR="#222255">> I=15817 F=0x00B8 T=47</FONT> <FONT COLOR="#222255">> (#7)</FONT>
Current thread:
- Port 65535, again Jens Hektor (Apr 06)
- Re: Port 65535, again vventura () SIA PT (Apr 11)