Re: Port scanned

From: Warren Bailey (type0@gci.net)
Date: 09/07/01


Message-ID: <006401c13721$fdbbb430$6401a8c0@server>
From: "Warren Bailey" <type0@gci.net>
To: "Subba Rao" <subba9@home.com>, "Focus IDS" <FOCUS-IDS@SECURITYFOCUS.COM>
Subject: Re: Port scanned
Date: Thu, 6 Sep 2001 14:19:27 -0800

Well.. sometimes people will open that port just to make it look that way..
I've seen machines with every port on the entire box show as open, but then
again, ipchains was denying access. I would say you should go and have a
beer, and audit more apache/secure logs on who's doing this. I wouldnt worry
abou the trinoo stuff. I dont even think that there is a Netbus
client/server MADE for FBSD.

cheers

----- Original Message -----
From: "Subba Rao" <subba9@home.com>
To: "Focus IDS" <FOCUS-IDS@SECURITYFOCUS.COM>
Sent: Thursday, September 06, 2001 1:59 PM
Subject: Port scanned

>
> Most of the log entries in the past few weeks were the Code Red worm. Now
and
> then I get access attempts from Sub-7 worm (port 27573). Today I have
noticed a
> system trying to access port 33112 on my system. I could match this port
to
> any of the well known trojan ports. So, I reverse probed the probing
system.
> Among the several ports that it has open (FreeBSD system), it had the
following
> ports visible.
>
> 12345/tcp filtered NetBus
> 27665/tcp filtered Trinoo_Master
>
> Is Trinoo_Master the server component of the DDOS tool? What is the best
> course of action when you find a potential hostile system?
>
> Thanks for any info.
> --
>
> Subba Rao
> subba9@home.com
> http://members.home.net/subba9/
>
> GPG public key ID CCB7344E
> Key fingerprint = A8DD 4CBA 1E9B D962 A55B 2B55 BAFE 92C5 CCB7 344E



Relevant Pages

  • Re: cvs problem with iptables
    ... > cvspserver is port 2401. ... > iptables is denying access to it. ...
    (Fedora)
  • RE: Help with filtered ports
    ... It simply means that the firewall is explicitly blocking that port. ... > 12345/tcp filtered NetBus ... > what is the differance between open and filter ports? ...
    (Security-Basics)
  • Port scanned
    ... Most of the log entries in the past few weeks were the Code Red worm. ... then I get access attempts from Sub-7 worm (port 27573). ... 12345/tcp filtered NetBus ...
    (Focus-IDS)