Security Incidents mailing list archives

Re: correlation between porscans and local activity

From: barakirs () NETVISION NET IL (R a v e N)
Date: Tue, 4 Jan 2000 20:18:48 +0200


Both ports are Windows remote administration trojan ports, I think.
Could either be a script kiddie scanning everyone on his contact list
that goes online (maybe with some ICQ plugins. I've seen some
"click-and-winnuke" ICQ plugins once, so I guess there are RAT ports
scanners for ICQ as well. Next thing there's gonna be an integrated
message spoofer and other such features like in LIcq). It could also be
another script kiddie scanning whole subnets for RAT ports.
If not (I'm completely sure that the second is a RAT port, but I don't
know about the first), it could just be an IRC server scanning someone
from your family for a wingate or SOCKS firewall on their box that can
be used for bouncing (most IRC servers do this whenever someone
initiates an IRC session with them in order to fight wingaters and
suchlikes).

Try downloading blacksun.box.sk/nemesis-latest.zip. It scans for RAT
ports on your local machine and on your friends' machines or on your own
network and searches for RATs. It is possible that the "attacker(s)"
is/are misusing it or a similar program...

--
If a packet hits a pocket on a socket on a port
And the bus is interrupted as a very last resort
And the address of the memory makes the data link abort
Then the socket packet pocket has an error to report.

http://blacksun.box.sk

Thomas Molina wrote:


This weekend I've started noticing a possible loose correlation between
portscans on my Linux boxes and local activity.  It is connected to the
internet through a cable modem.  It also provides masqueraded internet
connectivity for a couple of Win 98 boxes.  The Windows boxes mainly are
used by the family for web browsing, icq, and aol instant messaging.

There now appears to be some coincidence between the times my family
does web browsing and when I get scanned for port 1080.  I also got some
scans for port 31337 (back orifice?) following an icq session by my son.

Is this just a wild guess on my part or am I just now noticing something
blindingly obvious to everyone else?

Time to learn more about NAT and iptables so I can confirm this wild
theory.

Current thread:

Re: ICMP time exceed in-transit packets, (continued)
- - - Re: ICMP time exceed in-transit packets Paul Cardon (Jan 02)
  - Y2K bug in Shadow IDS Patrick Oonk (Jan 02)
  - Port Scan on 371... M. Edward Wilborne III (Jan 02)
    - Re: Port Scan on 371... Etaoin Shrdlu (Jan 02)
    - Re: Port Scan on 371... Christopher Wilson (Jan 02)
    - correlation between porscans and local activity Thomas Molina (Jan 02)
    - Re: correlation between porscans and local activity Sean Sosik-Hamor (Jan 03)
    - ADMROCKS McNab, Chris (Jan 03)
    - R: correlation between porscans and local activity Raistlin (Jan 04)
    - Re: R: correlation between porscans and local activity Michael Babcock (Jan 12)
    - Re: correlation between porscans and local activity R a v e N (Jan 04)