Security Incidents mailing list archives
Re: What is this (port 7626 tcp)?
From: "Keith R. Jarvis" <kjarvis () ISS NET>
Date: Sun, 22 Aug 0100 12:05:33 -0400
Glacier backdoor, see http://xforce.iss.net/static/4339.php It's a pretty common one, though if I remember correctly its written in Chinese which would make it of limited use to most non-Asian speaking hackers. If you'd like a copy I can get you that too. HTH
Hi, I've checked several trojan port lists, without success. Any thoughts? Aug 21 04:54:27 gw ipmon[28005]: 04:54:27.299473 tun0 @0:34 b 202.11 0.40.45,2097 -> 203.96.193.75,7626 PR tcp len 20 48 -S Aug 21 04:54:30 gw ipmon[28005]: 04:54:30.263861 tun0 @0:34 b 202.11 0.40.45,2097 -> 203.96.193.75,7626 PR tcp len 20 48 -S Aug 21 04:54:36 gw ipmon[28005]: 04:54:36.245459 tun0 @0:34 b 202.11 0.40.45,2097 -> 203.96.193.75,7626 PR tcp len 20 48 -S Aug 21 04:54:48 gw ipmon[28005]: 04:54:48.177990 tun0 @0:34 b 202.11 0.40.45,2097 -> 203.96.193.75,7626 PR tcp len 20 48 -S Logs are from a fully patched OpenBSD 2.6 box. Only ports available from the outside are http and ssh. Thanks, Bruce ------------------------------------------------------- Bruce Parkinson Phone +64 7 838-2010 Systems Administrator Fax +64 7 838-0977 PavTech NZ Ltd & Mobile +64 25 545-142 Wave Internet bruce.parkinson () pavtech co nz PO Box 935, WMC Hamilton http://www.pavtech.co.nz/ NEW ZEALAND http://www.wave.co.nz/
-- Keith R. Jarvis (kjarvis () iss net) http://xforce.iss.net Internet Security Systems, Inc. +1-678-443-6149 (direct) The Power to Protect +1-678-443-6479 (fax)
Current thread:
- What is this (port 7626 tcp)? Bruce Parkinson (Aug 21)
- Re: What is this (port 7626 tcp)? Keith R. Jarvis (Aug 22)