Re: Sasser ports
From: Andrew Mitchell (amitchell_at_removecasey.vic.gov.au)
Date: 05/03/04
- Next message: Danny Lesnik: "RE: Directory Service cannot start. Error Status: 0xc00002e1"
- Previous message: Sandeep: "Active Directory Service Error"
- In reply to: John: "Sasser ports"
- Next in thread: Karl Levinson [x y] mvp: "Re: Sasser ports"
- Reply: Karl Levinson [x y] mvp: "Re: Sasser ports"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 03 May 2004 00:29:56 -0700
"John" <anonymous@discussions.microsoft.com> said
> Sasser scans on port 445. I've also read some sources that
> claim it scans on different ports:
> 139
> (http://www.microsoft.com/technet/Security/alerts/sasser.mspx
> under PREVENTION), 1025+ (can't find the link anymore), or
> 1068+ (http://vil.nai.com/vil/content/v_125007.htm under
> Symptoms)
>
> Only 445 has come up consistently though (excluding 5554
> and 9996 of course). Then there's a trojan that scans
> 137-139 and 445
> http://www.sarc.com/avcenter/venc/data/hacktool.lsasssba.html
> but I'm not sure if this is the same as the sasser worm. So
> what ports for sure besides 445 is sasser using?
>
Connects to destination port 445
Starts an FTP server listening on port 5554
Runs a remote shell on port 9996
AFAIK 139 is not used at all.
Andy.
- Next message: Danny Lesnik: "RE: Directory Service cannot start. Error Status: 0xc00002e1"
- Previous message: Sandeep: "Active Directory Service Error"
- In reply to: John: "Sasser ports"
- Next in thread: Karl Levinson [x y] mvp: "Re: Sasser ports"
- Reply: Karl Levinson [x y] mvp: "Re: Sasser ports"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
