Re: Port scanned

From: Warren Bailey (
Date: 09/07/01

Message-ID: <006401c13721$fdbbb430$6401a8c0@server>
From: "Warren Bailey" <>
Subject: Re: Port scanned
Date: Thu, 6 Sep 2001 14:19:27 -0800

Well.. sometimes people will open that port just to make it look that way..
I've seen machines with every port on the entire box show as open, but then
again, ipchains was denying access. I would say you should go and have a
beer, and audit more apache/secure logs on who's doing this. I wouldnt worry
abou the trinoo stuff. I dont even think that there is a Netbus
client/server MADE for FBSD.


----- Original Message -----
From: "Subba Rao" <>
Sent: Thursday, September 06, 2001 1:59 PM
Subject: Port scanned

> Most of the log entries in the past few weeks were the Code Red worm. Now
> then I get access attempts from Sub-7 worm (port 27573). Today I have
noticed a
> system trying to access port 33112 on my system. I could match this port
> any of the well known trojan ports. So, I reverse probed the probing
> Among the several ports that it has open (FreeBSD system), it had the
> ports visible.
> 12345/tcp filtered NetBus
> 27665/tcp filtered Trinoo_Master
> Is Trinoo_Master the server component of the DDOS tool? What is the best
> course of action when you find a potential hostile system?
> Thanks for any info.
> --
> Subba Rao
> GPG public key ID CCB7344E
> Key fingerprint = A8DD 4CBA 1E9B D962 A55B 2B55 BAFE 92C5 CCB7 344E