Security Incidents mailing list archives
Re: Firewall hits/unknown ports
From: "Nick FitzGerald" <nick () virus-l demon co uk>
Date: Thu, 8 Nov 2001 07:45:08 +1200
<bonk () webchat chatsystems com> wrote:
Anyone know what trojans/backdoors run on 22634, 24544 and 29319 ? Snort.org doesn't list these.
This style of reply is seldom accepted for posting, but it should be remembered that only knowing the attempted port is a **very, very poor** diagnostic. Most of the modern RATs, bots, etc and nearly all of the widely used ones, allow the ports they run on to be configured. Thus, only knowing "port X was scanned" and "port X is the default port for <some RAT>" does not tell you much. Further, few of the IDSes, etc do traffic analysis to better detect which RAT, bot, etc may be involved *and* of those that do, few do so for more than a tiny fraction of the RATs. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Firewall hits/unknown ports bonk (Nov 04)
- Re: Firewall hits/unknown ports Stephen (Nov 04)
- RE: Firewall hits/unknown ports Loki (Nov 04)
- Re: Firewall hits/unknown ports Glenn Forbes Fleming Larratt (Nov 04)
- Re: Firewall hits/unknown ports Valdis . Kletnieks (Nov 04)
- Re: Firewall hits/unknown ports Nick FitzGerald (Nov 08)
- <Possible follow-ups>
- RE: Firewall hits/unknown ports Barber, Chris (Nov 05)
- Re: Firewall hits/unknown ports freehold (Nov 05)
- Re: Firewall hits/unknown ports Stephen (Nov 04)