Security Incidents mailing list archives
Re: Port 65535
From: keithp () CORP PTD NET (Keith Pachulski)
Date: Mon, 6 Mar 2000 19:49:28 -0000
There was an old trojan that use to run on 65535. I believe
it was called Linuxemu. That was some time ago though, not
sure if a newer trojan is also using that port.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hey all...
Been watching a rather strange scan of our Class C
for the past week; I
don't know if I'd even call it a scan. Perhaps a
misconfigured machine, or
something? Here's a log snippet:
Feb 29 07:12:25 firepower kernel: Packet log: private1 DENY
eth0 PROTO=6
192.115.221.125:65535 207.245.232.127:65535 L=28 S=0x00
I=15817 F=0x00B8 T=47
(#7)
Feb 29 07:14:25 firepower kernel: Packet log: private1 DENY
eth0 PROTO=6
192.115.221.125:65535 207.245.232.127:65535 L=28 S=0x00
I=16104 F=0x00B8 T=47
(#7)
Feb 29 07:16:25 firepower kernel: Packet log: private1 DENY
eth0 PROTO=6
192.115.221.125:65535 207.245.232.127:65535 L=28 S=0x00
I=16310 F=0x00B8 T=47
(#7)
Feb 29 07:18:25 firepower kernel: Packet log: private1 DENY
eth0 PROTO=6
192.115.221.125:65535 207.245.232.127:65535 L=28 S=0x00
I=16430 F=0x00B8 T=47
(#7)
Feb 29 07:20:25 firepower kernel: Packet log: private1 DENY
eth0 PROTO=6
192.115.221.125:65535 207.245.232.127:65535 L=28 S=0x00
I=16564 F=0x00B8 T=47
(#7)
Feb 29 07:22:25 firepower kernel: Packet log: private1 DENY
eth0 PROTO=6
192.115.221.125:65535 207.245.232.127:65535 L=28 S=0x00
I=16767 F=0x00B8 T=47
(#7)
Feb 29 07:24:25 firepower kernel: Packet log: private1 DENY
eth0 PROTO=6
192.115.221.125:65535 207.245.232.127:65535 L=28 S=0x00
I=17015 F=0x00B8 T=47
(#7)
Feb 29 07:26:25 firepower kernel: Packet log: private1 DENY
eth0 PROTO=6
192.115.221.125:65535 207.245.232.127:65535 L=28 S=0x00
I=17227 F=0x00B8 T=47
(#7)
I'm denying all of them at the firewall. I'm
rather curious as to what
it is, though. The source is a machine in Israel, and, as
of yesterday, the
scans were continuing on an intermittent basis. When it's
happening, it sends
out a packet to our machine exactly every two minutes.
Anybody have any idea on this one?
Mike
- ----------------------------------
Message sent on 02-Mar-00 at 15:54:35
Mike Murray
Apt 1402
666 Spadina Ave
Toronto, ON
M5S 2H8
Phone: (416) 323-3160
I can't think of anything pithy to say at
all, today. So, I ramble.
- ----------------------------------
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.2
iQA/AwUBOL7VD4DBZTHOsqLmEQJNJACfagI24fOLNIjiyH8sRQ9VhUdGqU0A
oPwa
mTR4DMdfuEIC9q30UubUW6L6
=wG8B
-----END PGP SIGNATURE-----
Current thread:
- UDP Probes (?) from port 28432 to 28431 ?, (continued)
- UDP Probes (?) from port 28432 to 28431 ? Xander Jansen (Mar 04)
- Re: UDP Probes (?) from port 28432 to 28431 ? Alexander Schreiber (Mar 07)
- UDP Probes (?) from port 28432 to 28431 ? Klaus Moeller (Mar 07)
- Re: UDP Probes (?) from port 28432 to 28431 ? Xander Jansen (Mar 09)
- Re: CNET Hackers hit e-commerce site Chris Davis (Mar 04)
- Port 65535 Murray, Mike (Mar 02)
- @home: Is *anyone* really home there??? (fwd) Light Of Day (Mar 04)
- Re: Port 65535 Pavel Kankovsky (Mar 04)
- Re: Port 65535 Murray, Mike (Mar 04)
- Re: Port 65535 Richard Bejtlich (Mar 04)
- Re: Port 65535 Keith Pachulski (Mar 06)
- Re: auto-reporting to ISPs wozz () LUVEWE BONCH ORG (Mar 02)
- Re: auto-reporting to ISPs Stuart Staniford-Chen (Mar 06)
- Re: @home: Is *anyone* really home there??? Greg A. Woods (Mar 02)
- Re: @home: Is *anyone* really home there??? William Annis (Mar 03)