Re: What is this (port 7626 tcp)?

["Keith R. Jarvis" <kjarvis () ISS NET>]

Glacier backdoor, see http://xforce.iss.net/static/4339.php It's a
pretty common one, though if I remember correctly its written in
Chinese which would make it of limited use to most non-Asian
speaking hackers.

If you'd like a copy I can get you that too.

HTH

> Hi,
>
> I've checked several trojan port lists, without success.  Any thoughts?
>
> Aug 21 04:54:27 gw ipmon[28005]: 04:54:27.299473             tun0 @0:34 b
> 202.11
> 0.40.45,2097 -> 203.96.193.75,7626 PR tcp len 20 48 -S
> Aug 21 04:54:30 gw ipmon[28005]: 04:54:30.263861             tun0 @0:34 b
> 202.11
> 0.40.45,2097 -> 203.96.193.75,7626 PR tcp len 20 48 -S
> Aug 21 04:54:36 gw ipmon[28005]: 04:54:36.245459             tun0 @0:34 b
> 202.11
> 0.40.45,2097 -> 203.96.193.75,7626 PR tcp len 20 48 -S
> Aug 21 04:54:48 gw ipmon[28005]: 04:54:48.177990             tun0 @0:34 b
> 202.11
> 0.40.45,2097 -> 203.96.193.75,7626 PR tcp len 20 48 -S
>
> Logs are from a fully patched OpenBSD 2.6 box.  Only ports available from
> the outside are http and ssh.
>
> Thanks,
> Bruce
>
> -------------------------------------------------------
> Bruce Parkinson           Phone   +64 7 838-2010
> Systems Administrator     Fax     +64 7 838-0977
> PavTech NZ Ltd &          Mobile  +64 25 545-142
> Wave Internet             bruce.parkinson () pavtech co nz
> PO Box 935, WMC
> Hamilton                  http://www.pavtech.co.nz/
> NEW ZEALAND               http://www.wave.co.nz/


--
Keith R. Jarvis (kjarvis () iss net)             http://xforce.iss.net
Internet Security Systems, Inc.               +1-678-443-6149 (direct)
The Power to Protect                          +1-678-443-6479 (fax)