Re: New Trojan

[Russell Fulton <r.fulton () auckland ac nz>]

On Wed, 2003-10-29 at 07:17, Damian Gerow wrote:

> I also just completed a UDP port scan of the infect host, which was
> completely useless.  My screen buffer only goes back so far, but every port
> from 64367 and up is marked as 'open'.  :(

I have little faith in UDP scans because lack of response is taken as
meaning the port is open.  UDP scanning works on the principle that
closed port should send back a ICMP port unreachable.  If the port is
filtered or packet dropped anywhere along the path or the machine does
not respond with the expected unreachable or the unreachable gets
filtered or dropped then the port will show as open.

You probably know all this but, just in case...

-- 
Russell Fulton, Network Security Officer, The University of Auckland,
New Zealand.


---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------