Re: Port scannedFrom: Warren Bailey (email@example.com)
- Previous message: Subba Rao: "Port scanned"
- In reply to: Subba Rao: "Port scanned"
- Next in thread: David Masten: "Re: Port scanned"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <006401c13721$fdbbb430$6401a8c0@server> From: "Warren Bailey" <firstname.lastname@example.org> To: "Subba Rao" <email@example.com>, "Focus IDS" <FOCUS-IDS@SECURITYFOCUS.COM> Subject: Re: Port scanned Date: Thu, 6 Sep 2001 14:19:27 -0800
Well.. sometimes people will open that port just to make it look that way..
I've seen machines with every port on the entire box show as open, but then
again, ipchains was denying access. I would say you should go and have a
beer, and audit more apache/secure logs on who's doing this. I wouldnt worry
abou the trinoo stuff. I dont even think that there is a Netbus
client/server MADE for FBSD.
> Most of the log entries in the past few weeks were the Code Red worm. Now
> then I get access attempts from Sub-7 worm (port 27573). Today I have
> system trying to access port 33112 on my system. I could match this port
> any of the well known trojan ports. So, I reverse probed the probing
> Among the several ports that it has open (FreeBSD system), it had the
> ports visible.
> 12345/tcp filtered NetBus
> 27665/tcp filtered Trinoo_Master
> Is Trinoo_Master the server component of the DDOS tool? What is the best
> course of action when you find a potential hostile system?
> Thanks for any info.
> Subba Rao
> GPG public key ID CCB7344E
> Key fingerprint = A8DD 4CBA 1E9B D962 A55B 2B55 BAFE 92C5 CCB7 344E