Security Incidents mailing list archives
Re: Port 65535
From: keithp () CORP PTD NET (Keith Pachulski)
Date: Mon, 6 Mar 2000 19:49:28 -0000
There was an old trojan that use to run on 65535. I believe it was called Linuxemu. That was some time ago though, not sure if a newer trojan is also using that port. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hey all... Been watching a rather strange scan of our Class C for the past week; I don't know if I'd even call it a scan. Perhaps a misconfigured machine, or something? Here's a log snippet: Feb 29 07:12:25 firepower kernel: Packet log: private1 DENY eth0 PROTO=6 192.115.221.125:65535 207.245.232.127:65535 L=28 S=0x00 I=15817 F=0x00B8 T=47 (#7) Feb 29 07:14:25 firepower kernel: Packet log: private1 DENY eth0 PROTO=6 192.115.221.125:65535 207.245.232.127:65535 L=28 S=0x00 I=16104 F=0x00B8 T=47 (#7) Feb 29 07:16:25 firepower kernel: Packet log: private1 DENY eth0 PROTO=6 192.115.221.125:65535 207.245.232.127:65535 L=28 S=0x00 I=16310 F=0x00B8 T=47 (#7) Feb 29 07:18:25 firepower kernel: Packet log: private1 DENY eth0 PROTO=6 192.115.221.125:65535 207.245.232.127:65535 L=28 S=0x00 I=16430 F=0x00B8 T=47 (#7) Feb 29 07:20:25 firepower kernel: Packet log: private1 DENY eth0 PROTO=6 192.115.221.125:65535 207.245.232.127:65535 L=28 S=0x00 I=16564 F=0x00B8 T=47 (#7) Feb 29 07:22:25 firepower kernel: Packet log: private1 DENY eth0 PROTO=6 192.115.221.125:65535 207.245.232.127:65535 L=28 S=0x00 I=16767 F=0x00B8 T=47 (#7) Feb 29 07:24:25 firepower kernel: Packet log: private1 DENY eth0 PROTO=6 192.115.221.125:65535 207.245.232.127:65535 L=28 S=0x00 I=17015 F=0x00B8 T=47 (#7) Feb 29 07:26:25 firepower kernel: Packet log: private1 DENY eth0 PROTO=6 192.115.221.125:65535 207.245.232.127:65535 L=28 S=0x00 I=17227 F=0x00B8 T=47 (#7) I'm denying all of them at the firewall. I'm rather curious as to what it is, though. The source is a machine in Israel, and, as of yesterday, the scans were continuing on an intermittent basis. When it's happening, it sends out a packet to our machine exactly every two minutes. Anybody have any idea on this one? Mike - ---------------------------------- Message sent on 02-Mar-00 at 15:54:35 Mike Murray Apt 1402 666 Spadina Ave Toronto, ON M5S 2H8 Phone: (416) 323-3160 I can't think of anything pithy to say at all, today. So, I ramble. - ---------------------------------- -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.2 iQA/AwUBOL7VD4DBZTHOsqLmEQJNJACfagI24fOLNIjiyH8sRQ9VhUdGqU0A oPwa mTR4DMdfuEIC9q30UubUW6L6 =wG8B -----END PGP SIGNATURE-----
Current thread:
- UDP Probes (?) from port 28432 to 28431 ?, (continued)
- UDP Probes (?) from port 28432 to 28431 ? Xander Jansen (Mar 04)
- Re: UDP Probes (?) from port 28432 to 28431 ? Alexander Schreiber (Mar 07)
- UDP Probes (?) from port 28432 to 28431 ? Klaus Moeller (Mar 07)
- Re: UDP Probes (?) from port 28432 to 28431 ? Xander Jansen (Mar 09)
- Re: CNET Hackers hit e-commerce site Chris Davis (Mar 04)
- Port 65535 Murray, Mike (Mar 02)
- @home: Is *anyone* really home there??? (fwd) Light Of Day (Mar 04)
- Re: Port 65535 Pavel Kankovsky (Mar 04)
- Re: Port 65535 Murray, Mike (Mar 04)
- Re: Port 65535 Richard Bejtlich (Mar 04)
- Re: Port 65535 Keith Pachulski (Mar 06)
- Re: auto-reporting to ISPs wozz () LUVEWE BONCH ORG (Mar 02)
- Re: auto-reporting to ISPs Stuart Staniford-Chen (Mar 06)
- Re: @home: Is *anyone* really home there??? Greg A. Woods (Mar 02)
- Re: @home: Is *anyone* really home there??? William Annis (Mar 03)