Re: attacks on local port 1025

From: Erwin Michiels (ErwinMichiels_at_discussions.microsoft.com)
Date: 06/28/04

• Next message: Shenan Stanley: "Re: GrrrArgh. Oh, I get it now...."
• Previous message: Jupiter Jones [MVP]: "Re: GrrrArgh. Oh, I get it now...."
• In reply to: Jeff Cochran: "Re: attacks on local port 1025"
• Next in thread: Jeff Cochran: "Re: attacks on local port 1025"
• Reply: Jeff Cochran: "Re: attacks on local port 1025"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Sun, 27 Jun 2004 16:26:01 -0700

My firewall (Agnitum Outpost) is blocking this inbound traffic when svchost.exe uses PASV FTP (TCP) on port 1025 and a range of others. Nevertheless my firewall logs the connection request ("attack") on port 1025 (TCP) and also the attempted inbound connection with svchost.exe using PASV FTP on the same port. As written in my first post my firewall then denies the request. My point is that SVCHOST.EXE ALLOWS THIS INBOUND TRAFFIC on port 1025. So this is a system vulnurability. I doubt this is caused by a trojan having called home or some other virus. I run a fully patched system checked with MBSA, a firewall checked with grc.com (fully stealthed), an up-to-date anti-virus application and an up-to-date spyware blocker. If this is caused by a virus of some kind it has to be completely new. But I will look into ServU. Thank you for the suggestion.

"Jeff Cochran" wrote:

> First, why isn't your firewall blocking this? Second, port 1025 is a
> common port used for many access reasons, and FTP is one of those.
> Third, port 1025 is an often used port for a number of scripted attack
> vectors, usually a compromised system that has had ServU installed.
>
> Jeff

---

• Next message: Shenan Stanley: "Re: GrrrArgh. Oh, I get it now...."
• Previous message: Jupiter Jones [MVP]: "Re: GrrrArgh. Oh, I get it now...."
• In reply to: Jeff Cochran: "Re: attacks on local port 1025"
• Next in thread: Jeff Cochran: "Re: attacks on local port 1025"
• Reply: Jeff Cochran: "Re: attacks on local port 1025"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: home directory inaccessible ... Thanks, Tom ... "Jeff Cochran" wrote: ... >>192.168.1.30 port 21 ... > If you're using user isolation, your home directory path is wrong. ... (microsoft.public.inetserver.iis.ftp) Re: Virtual Web Servers ... I cannot map multiple IP addresses on this firewall to the same port. ... "Jeff Cochran" wrote: ... >>separate but use the same gateway. ... (microsoft.public.inetserver.iis) Re: IIS 5.1 Newbie ... "Jeff Cochran" wrote: ... > connection request at the same time, then two have to wait until the ... how do I foward the port and determine what port it is running on? ... which is dependent on your router type so check with the ... (microsoft.public.inetserver.iis) Re: Telnet to open ports ... Jeff Cochran wrote: ... But since the alternative is to close port 80 and shut ... > off your web services, you may need to accept a certain level of risk. ... > of actually making a successful attack through Telnet. ... (comp.os.ms-windows.nt.admin.security) Re: Telnet to open ports ... Jeff Cochran wrote: ... But since the alternative is to close port 80 and shut ... > off your web services, you may need to accept a certain level of risk. ... > of actually making a successful attack through Telnet. ... (comp.os.ms-windows.nt.admin.security)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.security  > 2004-06