Re: probes for port 27374 (ASP)?

[Guillaume Filion <gfk () LOGIDAC COM>]

Hi Omar,

I received one too the other day:
Dec 10 00:45:12 cesam kernel: Packet log: input DENY eth1 PROTO=6
x.y.35.152:2272 x.y.47.52:27374 L=48 S=0x00 I=16663 F=0x4000 T=121
SYN (#2)

I'm pretty sure it's for SubSeven:
---
Port 27374

(TCP) This is one of the most commonly probed ports on the Internet
right now, due to its inclusion within the SubSeven Trojan. The
reason it is so sommon is that SubSeven provides the ability to tell
a compromised system to scan on its behalf. This allows cr/hackers to
scan with impunity.

Ref: <http://advice.networkice.com/Advice/Exploits/Ports/27374/default.htm>
---

Best,
GFK's


At 12:56 -0600 11/12/00, Omar Herrera wrote:
> I have been receiving lately probes for TCP port 27374 (ASP: Address
> Search Protocol) through my ISP connection (about 6 or 7 since  friday;
> two or three a day).
>
> I have never before seen such requests and I'm curious if they could be
> related to any new vulnerability or a known Trojan horse.
>
> None of the source addresses seems to be related to another; each source
> address sent one probe only and I received requests  in different
> addresses assigned dynamically by my ISP at different times, which makes
> me think that this probes are being sent to all (or parts) of my ISP
domain.
--
http://logidac.com
Guillaume Filion (GFK's)
Logidac Technologies, Québec, Canada