Re: Two scans (Klogin and a trojan?)

[Dan_Schrader () TRENDMICRO COM (Dan Schrader)]

port 27374 is used by the SubSeven trojan

> -----Original Message-----
> From: Jose Nazario [SMTP:jose () BIOCSERVER BIOC CWRU EDU]
> Sent: Sunday, May 21, 2000 10:13 AM
> To:   INCIDENTS () SECURITYFOCUS COM
> Subject:      Two scans (Klogin and a trojan?)
>
> Hi all,
>
> [All local hostname munged, all source IPs and names are what was
> recorded.]
>
> I wanted to report on two quick scans I caught this weekend. Coming back
> from a vacation to find some suspicious log entries sucks, but hey, life
> would be boring without it.
>
> The first is in regards to the recent Kerberos vulnerabilities (see the
> CERT advisory), someone probing for Klogin ports:
>
> May 19 05:27:16 server kernel: TCP connection rejected from 194.252.152.4,
> port 543
>
> Now, this is rather worrysome:
>
>         Name:    ns2.keminmaa.fi
>         Address:  194.252.152.4
>
> It is named as nameserver (ns2) and, sure enough, responds as one. I hope
> it's not a rooted BIND8 server, but they'd be in good company if it is.
>
> The second appears to be a trojan scan, but I could find nothing
> associated with that port (any ideas?):
>
> May 20 06:04:45 server kernel: TCP connection rejected from 210.55.227.64,
> port 27374
>
> Looks like a customer having fun or a compromised box:
>
>         Name:    pp2-64.world-net.co.nz
>         Address:  210.55.227.64
>
> All times are in CDT (GMT-4) with the clock running fast by about 10
> minutes.
>
> See y'all around,
>
> jose nazario                                  jose () biochemistry cwru edu
> PGP fingerprint: 89 B0 81 DA 5B FD 7E 00  99 C3 B2 CD 48 A0 07 80
> Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc