Re: Subseven Scans

From: H C (keydet89@yahoo.com)
Date: 08/12/02 

Date: Mon, 12 Aug 2002 13:39:11 -0700 (PDT)
From: H C <keydet89@yahoo.com>
To: grdnwsl <grdnwsl@mrichi.com>, Rob Keown <Keown@MACDIRECT.COM>

Preston,

> I've seen quite a bit of traffic on ports tcp/12345
> and tcp/27374.
> According to what I've seen, 27374 is a port used by
> quite a few versions of SubSeven,

A couple of things...first, port 27374 is the default
port for both SubSeven, as well as the Ramen worm
(Linux). Therefore, a SYN packet destined for that
port is, in and of itself, inconclusive.

Second, I'm sure you're aware that default ports are
just that, and in many cases, configurable.

> as for 12345, it's not mentioned that subseven
> runs on that port (that I've seen)

It's NetBus's default port (1.7x and previous
versions).

> but I am seeing attempted
> connections to these ports at the same time (maybe
> some other vuln
> attempt I'm not aware of? anyone?). Hope that
> helps.

Given that these SYN packets are dropped by the f/w
(in most cases), they simply seem to be scans at this
point. As far as vulnerabilities are concerned, they
may or may not be...but if there's a trojan installed
on a system, the admin has more to worry about than
vulnerabilities.

__________________________________________________
Do You Yahoo!?
HotJobs - Search Thousands of New Jobs
http://www.hotjobs.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • port of NetBSDs audit-packages (and an update of pkg_install)
    ... I want to port NetBSD's security/audit-packages to FreeBSD. ... The idea is that you just synchronize a file with known vulnerabilities, ... and a script in periodic/security warns you when you have a vulnurable ...
    (freebsd-hackers)
  • Re: Crashing services with NMAP and/or SuperScan ?
    ... There are POP servers on VMS that won't take a reset TCP session for ... electro-cardiogram reader controlling software that dies at the mere ... You have identified possible vulnerabilities with your scans, ... or indeed any random person with a port scanner -- would do the same ...
    (Pen-Test)
  • FreeBSD Ports Security Advisory FreeBSD-SA-01:23.icecast [REVISED]
    ... FreeBSD only: NO ... 2001-05-28 v1.1 Note vulnerabilities in versions prior to 1.3.10 ... The icecast software, versions prior to 1.3.10, contains multiple ... Upgrade your entire ports collection and rebuild the icecast port. ...
    (FreeBSD-Security)
  • Re: gaim or aim on 5.4 amd64 ?
    ... > some security issues, thus portaudit prevents You from installing it. ... Portaudit merely reports on security vulnerabilities in the ports. ... Portaudit will not prevent the install of a vulnerable port. ...
    (freebsd-questions)
  • Force install vulnerable port
    ... How can I override portaudit when trying to install a port with ... vulnerabilities like jdk? ... My temp. ...
    (freebsd-questions)