Security Incidents mailing list archives

Re: Firewall hits/unknown ports

From: "Nick FitzGerald" <nick () virus-l demon co uk>
Date: Thu, 8 Nov 2001 07:45:08 +1200

<bonk () webchat chatsystems com> wrote:

Anyone know what trojans/backdoors run on 22634, 24544 and 29319 ?
Snort.org doesn't list these.


This style of reply is seldom accepted for posting, but it should be 
remembered that only knowing the attempted port is a **very, very 
poor** diagnostic.  Most of the modern RATs, bots, etc and 
nearly all of the widely used ones, allow the ports they run on to be 
configured.  Thus, only knowing "port X was scanned" and "port X is 
the default port for <some RAT>" does not tell you much.  Further, 
few of the IDSes, etc do traffic analysis to better detect which RAT, 
bot, etc may be involved *and* of those that do, few do so for more 
than a tiny fraction of the RATs.


-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Firewall hits/unknown ports bonk (Nov 04)
- Re: Firewall hits/unknown ports Stephen (Nov 04)
  - RE: Firewall hits/unknown ports Loki (Nov 04)
- Re: Firewall hits/unknown ports Glenn Forbes Fleming Larratt (Nov 04)
  - Re: Firewall hits/unknown ports Valdis . Kletnieks (Nov 04)
- Re: Firewall hits/unknown ports Nick FitzGerald (Nov 08)
- <Possible follow-ups>
- RE: Firewall hits/unknown ports Barber, Chris (Nov 05)
  - Re: Firewall hits/unknown ports freehold (Nov 05)