Re: Large increase in port 27347

kyle.r.maxwell_at_verizon.com
Date: 10/30/03

  • Next message: kyle.r.maxwell_at_verizon.com: "Re: Persistant Connection to tcp/1423" 
    To: "Bruce Moore" <291@canada.com>
Date: Thu, 30 Oct 2003 09:48:27 -0600

    As Mark pointed out, this activity is on TCP 27347, not TCP 27374.
    Although I wonder if there's some scanning out there based on a typo in
    the port number? 

    --
Kyle Maxwell
InfoSec Engineer
Verizon Global Security Operations Center
kyle.r.maxwell@verizon.com
"Bruce Moore" <291@canada.com>
10/29/2003 09:31 AM
 
        To:     incidents@securityfocus.com
        cc: 
        Subject:        Re: Large increase in port 27347
In-Reply-To: <3E71BE64C6ECD8449CD5A236F700FA96814643@odcexch.wei.owhc.net>
Could possibly be attributed to Sub7 Trojan or Spybot worm family.
McAfee has recently commented on this activity and updated their website.
See link below.
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100282
>From: "Bassett, Mark" <mbassett@omaha.com>
>To: <incidents@securityfocus.com>
>
>MAJOR increase in port 27347 hits.  If anyone manages to capture
>whatever this is please post immediately  =3D)  Be on the lookout folks.
>
>http://isc.incidents.org/port_details.html?port=3D27347
>
>Mark Bassett
>Network Administrator
>World media company
>Omaha.com
>402-898-2079
>
---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------
---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------
  • Next message: kyle.r.maxwell_at_verizon.com: "Re: Persistant Connection to tcp/1423"

    Relevant Pages

    • Re: Fingerprinting Windows O/S based on ports open?
      ... Open ports on WinXP Default install: ... > TCP 135 ... Better Management for Network Security ...
      (Pen-Test)
    • RE: Cisco CTR
      ... hacker's program is, the state of the network, etc. I'd like to see the ... If this type of attack can succeed as I think it could, ... > Network with over 10,000 of the brightest minds in information security ... most highly-anticipated industry event of the year. ...
      (Focus-IDS)
    • Re: Cisco CTR
      ... >> the network and allow those patch levels to be updated only ... >> hacker's program is, the state of the network, etc. I'd like to ... >> security, ... most highly-anticipated industry event of the year. ...
      (Focus-IDS)
    • RE: Administrivia: Are you seeing portscans from source 127.0.0.1 source port 80?
      ... the DoS routine grabs the Class B network off the machine ... > Security Business Unit ... most highly-anticipated industry event of the year. ...
      (Incidents)
    • Re: Fingerprinting Windows O/S based on ports open?
      ... TCP 445 ... Open ports on a W98SE default install: ... Better Management for Network Security ...
      (Pen-Test)