Re: Port 2000, 2002 scans

["Arnold, Jamie" <harnold () BINGHAMTON EDU>]

I have seen MANY machines with these ports open.  Too many, I think, for it
to be Transcout.  Sounds like there must be another explanation for this.


-----Original Message-----
From: Erik Tayler [mailto:nine () 14X NET]
Sent: Tuesday, September 12, 2000 12:14 AM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Re: Port 2000, 2002 scans


It is a possibility that "user" is infected with TransScout [ a somewhat
old backdoor ]. For a FAQ and some more information about removing the
backdoor, go to link below:

http://members.tripod.de/transscout/tshelp.htm#faq1

If the user is not infected, read through RFC1445

http://www.cis.ohio-state.edu/htbin/rfc/rfc1445.html  [ or ]
http://www.landfield.com/rfcs/rfc1351.html

Could probably be a multitude of other things, 2000 seems to be on of
the "ports-of-choice" this year. Pfft.

Erik Tayler
http://www.14x.net/fx

"L.A. Smith" wrote:
> Hello!
>
> I have had hundreds of complaints from one user about port scans on his PC
> for ports 2000 and 2002.  I know 2000 can be used for OpenWin.  I haven't
> been able to get a straight answer from this person about what they're
> running but seeing as they use Jammer as their firewall software (heh, not
> my idea!), they must be running Windoze of some sort.  Could someone shed
> some light as to what hundreds of IP addresses would want with their port
> 2000 and 2002?
>
> Thanks!