Security Incidents mailing list archives

New trojan running in port 12345?

From: Martin H Hoz-Salvador <mhoz () citi com mx>
Date: Tue, 19 Dec 2000 23:30:21 -0600

I've had a lot of scans to my internal network to port  12345
since past december 15.  It's quite normal for me to see scans
looking for NetBus at 12345, but this time scans have been
quite intensive. The time between consecutive packets it's 5
seconds, and these are some sample logs I have:

Dec 15 2000  01:40:03   TCP netscan from 211.110.69.203 to port 12345
Dec 15 2000  03:54:09   TCP netscan from 211.186.92.53 to port 12345
Dec 15 2000  05:40:19   TCP netscan from 211.106.196.250 to port 12345
Dec 15 2000  07:10:31   TCP netscan from 216.206.93.115 to port 12345
Dec 15 2000  07:13:18   TCP netscan from 211.59.110.170 to port 12345
Dec 15 2000  07:37:07   TCP netscan from 211.104.39.12 to port 12345
Dec 15 2000  07:46:47   TCP netscan from 211.117.204.8 to port 12345
[SNIP]
Dec 16 2000  00:00:47   TCP netscan from 210.182.33.153 to port 12345
Dec 16 2000  00:04:16   TCP netscan from 211.195.119.253 to port 12345
Dec 16 2000  00:08:47   TCP netscan from 211.247.76.18 to port 12345
Dec 16 2000  00:15:37   TCP netscan from 24.176.170.123 to port 12345
Dec 16 2000  01:09:38   TCP netscan from 209.53.141.69 to port 12345
Dec 16 2000  02:56:47   TCP netscan from 211.59.92.44 to port 12345
[SNIP]
Dec 17 2000  00:00:02   TCP netscan from 211.179.177.165 to port 12345
Dec 17 2000  00:00:13   TCP netscan from 24.161.92.159 to port 12345
Dec 17 2000  00:12:52   TCP netscan from 211.107.211.143 to port 12345
Dec 17 2000  00:14:31   TCP netscan from 211.53.178.101 to port 12345
Dec 17 2000  00:16:35   TCP netscan from 210.207.242.11 to port 12345
[SNIP]
Dec 18 2000  00:16:22   TCP netscan from 211.181.27.38 to port 12345
Dec 18 2000  00:35:15   TCP netscan from 203.228.215.11 to port 12345
Dec 18 2000  00:55:52   TCP netscan from 211.63.151.234 to port 12345
[SNIP]
Dec 18 2000  17:27:41   TCP netscan from 24.24.165.21 to port 12345
Dec 18 2000  18:32:05   TCP netscan from 211.222.152.33 to port 12345
Dec 18 2000  19:18:01   TCP netscan from 211.170.46.111 to port 12345
[SNIP]
Dec 19 2000  17:00:03   TCP netscan from 211.234.168.220 to port 12345
Dec 19 2000  17:12:45   TCP netscan from 24.14.101.226  to port 12345
Dec 19 2000  19:26:09   TCP netscan from 24.19.20.116   to port 12345
Dec 19 2000  19:39:01   TCP netscan from 211.105.70.185 to port 12345

As you see, the other strange pattern is that most of scans come from
APNIC assigned addresses. Unfortunately, I don't have any "raw sessions"
records from my  IDS right now, but I have reconfigured it to record future
sessions.

Do you have any ideas about it?

Regards.

-- M. Hoz

Current thread:

New trojan running in port 12345? Martin H Hoz-Salvador (Dec 20)
- Re: New trojan running in port 12345? Russell Fulton (Dec 21)
  - Re: New trojan running in port 12345? Jose Nazario (Dec 21)
- <Possible follow-ups>
- Re: New trojan running in port 12345? Edwards, David (JTD) (Dec 21)
  - Re: New trojan running in port 12345? claymore (Dec 21)
- Re: New trojan running in port 12345? Edwards, David (JTD) (Dec 21)
  - Re: New trojan running in port 12345? Michael H. Warfield (Dec 21)