Security Incidents mailing list archives
Re: New trojan running in port 12345?
From: claymore <claymore () ADELPHIA NET>
Date: Thu, 21 Dec 2000 12:53:36 -0500
You have GOT to be kidding...An Anti-virus product that listens on one of themost well know trojan ports in existance? Whoever designed that should be taken out back and beaten. port 12345 cron / crontab, Fat Bitch trojan, GabanBus, icmp_pipe.c, Mypic , NetBus , NetBus Toy, NetBus worm, Pie Bill Gates, Whack Job, X-bill The most prevelent, of course being NetBus, which is a standard script-kiddie toy. PRobably the second most widley used, next to SubSeven. If you need info on any of these feel free to contact me. I will be more than happy to help. Claymore the unprofound -----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On Behalf Of Edwards, David (JTD) Sent: Wednesday, December 20, 2000 6:04 PM To: INCIDENTS () SECURITYFOCUS COM Subject: Re: New trojan running in port 12345? Hi,
-----Original Message----- From: Martin H Hoz-Salvador [mailto:mhoz () CITI COM MX] Sent: Wednesday, 20 December 2000 4:00 PM To: INCIDENTS () SECURITYFOCUS COM Subject: New trojan running in port 12345? I've had a lot of scans to my internal network to port 12345 since past december 15. It's quite normal for me to see scans looking for NetBus at 12345, but this time scans have been quite intensive. The time between consecutive packets it's 5 seconds, and these are some sample logs I have:
Not sure if this is relevant but the OfficeScan anti-virus software (http://www.antivirus.com/products/osce/) listens on TCP 12345 for updates. I guess it could be a DNS error pointing clients to an incorrect address? Are they all heading for the same IP? ciao dave --- Dave Edwards Justice Technology Division Ph: +61 8 82265426 || 0408 808355 mailto: edwards.david2 () saugov sa gov au Snail : Justice Technology Division GPO Box 2048, Adelaide 5001 --- The information in this e-mail may be confidential and/or legally privileged. Use or disclosure by anyone other than the intended recipient is prohibited and may be unlawful. If you have received this e-mail in error, please advise me immediately ---
Current thread:
- New trojan running in port 12345? Martin H Hoz-Salvador (Dec 20)
- Re: New trojan running in port 12345? Russell Fulton (Dec 21)
- Re: New trojan running in port 12345? Jose Nazario (Dec 21)
- <Possible follow-ups>
- Re: New trojan running in port 12345? Edwards, David (JTD) (Dec 21)
- Re: New trojan running in port 12345? claymore (Dec 21)
- Re: New trojan running in port 12345? Edwards, David (JTD) (Dec 21)
- Re: New trojan running in port 12345? Michael H. Warfield (Dec 21)
- Re: New trojan running in port 12345? Russell Fulton (Dec 21)