Security Incidents mailing list archives
Re: Strange back-orifice looking scan...
From: "KoRe MeLtDoWn" <koremeltdown () hotmail com>
Date: Wed, 04 Sep 2002 21:09:46 +0000
Hey Jeff,Port 1214 used by Kazaa aka Morpheus, this is obviously the remote port that the "scanner" is using. Port 31336 IS used by Back Orifice 2000 aka BO2k aka DeepBO (this is a special release of BO btw).
It appears the attacker may be doing one of two things:a/ He/she has somehow manipulated Kazaa to scan not for other Kazaa users on port 1214, but to scan for BO infected machines on port 31336. The other possibility is simple - theyve written a scanner or customised the settings of a current scanner to have the local scanning port on port 1214 to make it look like its Kazaa doing it automatically, however they are actively portscanning either your network I wasnt sure if it was a network you had) or just your lone box.
This is just a suggestion, but the best one I could come up with :)To check the validity of my theory, if it is a box with Kazaa operating on it it should have port 80 open if i recall, showing all shared files within the Kazaa program - they may have patched this in the later versions that have been released lately of course :)
Hope this helps you Hamish Stanaway -= KoRe WoRkS =- Internet Security Owner/Operator http://www.koreworks.com/ New Zealand Is your box REALLY secure?
From: Jeff Kell <jeff-kell () utc edu> To: Incidents List <incidents () securityfocus com> Subject: Strange back-orifice looking scan... Date: Wed, 04 Sep 2002 12:08:48 -0400This popped up on ingress this morning, apparently with forged source addresses (given the timing). Didn't get a packet capture but justthe signature (we block Back Orifice ports):Sep 4 11:56:30.810 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 65.33.81.214(1214) -> aa.bb.cc.dd(31336), 1 packet Sep 4 11:56:32.142 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 65.29.146.153(1214) -> aa.bb.cc.dd(31336), 1 packet Sep 4 11:56:33.582 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 65.28.28.138(1214) -> aa.bb.cc.dd(31336), 1 packet Sep 4 11:56:34.594 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 66.177.34.146(1214) -> aa.bb.cc.dd(31336), 1 packet Sep 4 11:56:35.650 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 24.88.68.110(1214) -> aa.bb.cc.dd(31336), 1 packet Sep 4 11:56:36.862 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 24.95.36.95(1214) -> aa.bb.cc.dd(31336), 1 packet Sep 4 11:56:38.094 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 65.30.70.219(1214) -> aa.bb.cc.dd(31336), 1 packet Sep 4 11:56:39.206 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 65.30.116.61(1214) -> aa.bb.cc.dd(31336), 1 packet Sep 4 11:56:40.226 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 66.108.24.108(1214) -> aa.bb.cc.dd(31336), 1 packet Sep 4 11:56:41.290 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 65.29.154.41(1214) -> aa.bb.cc.dd(31336), 1 packet Sep 4 11:56:42.478 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 65.24.214.52(1214) -> aa.bb.cc.dd(31336), 1 packet Sep 4 11:56:43.486 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 65.35.2.129(1214) -> aa.bb.cc.dd(31336), 1 packet Sep 4 11:56:44.946 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 24.27.249.134(1214) -> aa.bb.cc.dd(31336), 1 packet Sep 4 11:58:45.864 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 65.29.114.254(1214) -> aa.bb.cc.dd(31336), 1 packet Sep 4 11:58:47.048 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 12.217.88.31(1214) -> aa.bb.cc.dd(31336), 1 packet Sep 4 11:58:50.288 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 24.130.16.39(1214) -> aa.bb.cc.dd(31336), 1 packet Sep 4 11:58:53.680 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 216.202.177.153(1214) -> aa.bb.cc.dd(31336), 1 packet Sep 4 11:58:56.268 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 61.99.48.65(1214) -> aa.bb.cc.dd(31336), 1 packet Sep 4 11:59:00.488 EDT: %SEC-6-IPACCESSLOGP: list 100 denied udp 146.115.94.106(1214) -> aa.bb.cc.dd(31336), 1 packetAny clues on this one? Looks new to me... Jeff
_________________________________________________________________MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service.For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Strange back-orifice looking scan... Jeff Kell (Sep 04)
- <Possible follow-ups>
- Re: Strange back-orifice looking scan... KoRe MeLtDoWn (Sep 05)
- Re: Strange back-orifice looking scan... Jeff Kell (Sep 05)
- Re: Strange back-orifice looking scan... Neil Dickey (Sep 05)
- Re: Strange back-orifice looking scan... Scott Nursten (Sep 11)