Security Incidents mailing list archives

Re: New trojan running in port 12345?

From: claymore <claymore () ADELPHIA NET>
Date: Thu, 21 Dec 2000 12:53:36 -0500

You have GOT to be kidding...An Anti-virus product that listens on one of
themost well know trojan ports in existance?

Whoever designed that should be taken out back and beaten.

port 12345 cron / crontab, Fat Bitch trojan, GabanBus, icmp_pipe.c, Mypic ,
NetBus , NetBus Toy, NetBus worm, Pie Bill Gates, Whack Job, X-bill

The most prevelent, of course being NetBus, which is a standard
script-kiddie toy. PRobably the second most widley used, next to SubSeven.

If you need info on any of these feel free to contact me. I will be more
than happy to help.

Claymore
the unprofound

-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On
Behalf Of Edwards, David (JTD)
Sent: Wednesday, December 20, 2000 6:04 PM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Re: New trojan running in port 12345?


Hi,

-----Original Message-----
From: Martin H Hoz-Salvador [mailto:mhoz () CITI COM MX]
Sent: Wednesday, 20 December 2000 4:00 PM
To: INCIDENTS () SECURITYFOCUS COM
Subject: New trojan running in port 12345?

I've had a lot of scans to my internal network to port  12345
since past december 15.  It's quite normal for me to see scans
looking for NetBus at 12345, but this time scans have been
quite intensive. The time between consecutive packets it's 5
seconds, and these are some sample logs I have:


Not sure if this is relevant but the OfficeScan anti-virus
software (http://www.antivirus.com/products/osce/) listens on
TCP 12345 for updates.  I guess it could be a DNS error pointing
clients to an incorrect address?  Are they all heading for the
same IP?

ciao
dave
---
Dave Edwards
Justice Technology Division
Ph: +61 8 82265426 || 0408 808355
mailto: edwards.david2 () saugov sa gov au
Snail : Justice Technology Division
        GPO Box 2048, Adelaide 5001
---
The information in this e-mail may be confidential and/or legally
privileged.  Use or disclosure by anyone other than the intended
recipient is prohibited and may be unlawful.  If you have received
this e-mail in error, please advise me immediately
---

Current thread:

New trojan running in port 12345? Martin H Hoz-Salvador (Dec 20)
- Re: New trojan running in port 12345? Russell Fulton (Dec 21)
  - Re: New trojan running in port 12345? Jose Nazario (Dec 21)
- <Possible follow-ups>
- Re: New trojan running in port 12345? Edwards, David (JTD) (Dec 21)
  - Re: New trojan running in port 12345? claymore (Dec 21)
- Re: New trojan running in port 12345? Edwards, David (JTD) (Dec 21)
  - Re: New trojan running in port 12345? Michael H. Warfield (Dec 21)