[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

IDS: RE: Scanning on tcp port 27374

To: ids@uow.edu.au
Subject: IDS: RE: Scanning on tcp port 27374
From: "Benninghoff, John" <JaBenninghoff@DainRauscher.com>
Date: Thu, 27 Apr 2000 15:13:59 -0500

    [ The following text is in the "iso-8859-1" character set. ]
    [ Your display is set for the "US-ASCII" character set.  ]
    [ Some characters may be displayed incorrectly. ]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner@uow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo@uow.edu.au
-----------------------------------------------------------------------------
Thanks to everyone who responded. I was not aware of the SubSeven Trojan,
but from what I've seen, it's currently the most popular "Back Door" trojan
in use. I've seen many more scans for SubSeven than NetBus or BackOrifice,
the two I already knew of.

I found a description of SubSeven at:
http://vil.nai.com/villib/dispVirus.asp?virus_k=10566 (description of
infection)

Other useful links (sent to me) were:
http://www.simovits.com/nyheter9902.html (list of Trojan ports)
http://www.robertgraham.com/pubs/firewall-seen.html (exellent reference)

As a clarification, these scans were captured using a packet sniffer, *not*
from host activity (fortunately).

-----Original Message-----
From: Benninghoff, John [mailto:JaBenninghoff@DainRauscher.com]
Sent: Wednesday, April 26, 2000 2:47 PM
To: ids@uow.edu.au
Subject: IDS: Scanning on tcp port 27374


Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
HELP: Having problems... email questions to ids-owner@uow.edu.au
NOTE: Remove this section from reply msgs otherwise the msg will bounce.
SPAM: DO NOT send unsolicted mail to this list.
UNSUBSCRIBE: email "unsubscribe ids" to majordomo@uow.edu.au
----------------------------------------------------------------------------
-
Hello all,

I've been lurking on IDS for several months now and I have a question for
the list...

I am currently working with Network ID using SHADOW, and I have seen several
sequential and semi-sequential scans on tcp port 27374. I have not been able
to figure out what exploit or service these scans are looking for, and I was
wondering if anyone knew what service runs on this port, or is it simply an
arbitrary port used by a scanning tool ? Also, has anyone else come across
these types of scans ?

Any info would be appreciated. Thanks.

-------------------------------------
John A Benninghoff
mailto:jabenninghoff@dainrauscher.com

Prev by Date: Fwd: Re: Part 2 IDS: Scanning on tcp port 27374
Next by Date: Re: Fwd: Re: Part 2 IDS: Scanning on tcp port 27374
Prev by thread: IDS: Re: Scanning on tcp port 27374
Next by thread: Re: IDS: RE: Scanning on tcp port 27374
Index(es):
- Date
- Thread