Security Incidents mailing list archives
Re: probes for port 27374 (ASP)?
From: Guillaume Filion <gfk () LOGIDAC COM>
Date: Thu, 14 Dec 2000 12:15:24 -0500
Hi Omar, I received one too the other day: Dec 10 00:45:12 cesam kernel: Packet log: input DENY eth1 PROTO=6 x.y.35.152:2272 x.y.47.52:27374 L=48 S=0x00 I=16663 F=0x4000 T=121 SYN (#2) I'm pretty sure it's for SubSeven: --- Port 27374 (TCP) This is one of the most commonly probed ports on the Internet right now, due to its inclusion within the SubSeven Trojan. The reason it is so sommon is that SubSeven provides the ability to tell a compromised system to scan on its behalf. This allows cr/hackers to scan with impunity. Ref: <http://advice.networkice.com/Advice/Exploits/Ports/27374/default.htm> --- Best, GFK's At 12:56 -0600 11/12/00, Omar Herrera wrote:
I have been receiving lately probes for TCP port 27374 (ASP: Address Search Protocol) through my ISP connection (about 6 or 7 since friday; two or three a day). I have never before seen such requests and I'm curious if they could be related to any new vulnerability or a known Trojan horse. None of the source addresses seems to be related to another; each source address sent one probe only and I received requests in different addresses assigned dynamically by my ISP at different times, which makes me think that this probes are being sent to all (or parts) of my ISP
domain. -- http://logidac.com Guillaume Filion (GFK's) Logidac Technologies, Québec, Canada
Current thread:
- probes for port 27374 (ASP)? Omar Herrera (Dec 12)
- <Possible follow-ups>
- Re: probes for port 27374 (ASP)? Guillaume Filion (Dec 15)