Re: Strange back-orifice looking scan...

From: Jeff Kell (jeff-kell@utc.edu)
Date: 09/05/02


Date: Wed, 04 Sep 2002 22:32:09 -0400
From: Jeff Kell <jeff-kell@utc.edu>
To: KoRe MeLtDoWn <koremeltdown@hotmail.com>

KoRe MeLtDoWn wrote:
>
> Hey Jeff,
> Port 1214 used by Kazaa aka Morpheus, this is obviously the remote port that
> the "scanner" is using. Port 31336 IS used by Back Orifice 2000 aka BO2k aka
> DeepBO (this is a special release of BO btw).

But this is UDP, not TCP.

> however they are
> actively portscanning either your network I wasnt sure if it was a network
> you had) or just your lone box.

It is an overloaded NAT, not a lone box.

Jeff

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



Relevant Pages

  • Re: Help me to diagnose !!!
    ... >Remote Host: Mailserver(I omit the ip here) ... >Remote Port: 445 ... but more likely is a simple "network neighborhood search". ...
    (comp.security.misc)
  • Re: Help me to diagnose !!!
    ... >Remote Host: Mailserver(I omit the ip here) ... >Remote Port: 445 ... but more likely is a simple "network neighborhood search". ...
    (comp.security.firewalls)
  • Re: How to tell if a firewall alert is suspicious or not
    ... but I maintain a list of daily requests and this is ... And, why, does my network still work even though I said ... has received a Multicast packet from the remote machine. ... using remote port 443. ...
    (microsoft.public.security)
  • Re: How to tell if a firewall alert is suspicious or not
    ... but I maintain a list of daily requests and this is ... And, why, does my network still work even though I said ... has received a Multicast packet from the remote machine. ... using remote port 443. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: How to tell if a firewall alert is suspicious or not
    ... but I maintain a list of daily requests and this is ... And, why, does my network still work even though I said ... has received a Multicast packet from the remote machine. ... using remote port 443. ...
    (comp.security.firewalls)