Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Re: PC Anywhere client seems to probe class C of connected networks

From: sellermann () RSTRAT COM (Steve Ellermann)
Date: Wed, 26 Jan 2000 12:30:15 -0700


A new rash of abuse desk inquiries have to do with PC Anywhere probes on
port 5632 and ssh port 22 from clients within the same class C as the
computers reporting the probing.  This happens on our dynamic dialup pools
as well as netblocks we allocate subnets and dialup statics.



Does anyone have any experience with this software?  Is is on by default?
Can the probing be turned off altogether or on a per-interface basis?
Any abuse desks with many new reports of this over the last few weeks?


Your question is a little unclear to me, however the information below
should help.

PC Anywhere Characteristics:
Protocol: UDP & TCP
Ports: 22/UDP, 5632/UDP, 5631/TCP, 65301/TCP

To scan an entire c class in 'Remote Control' mode, the IP settings are set
to xxx.xxx.xxx.255 instead of a single address. This setting needs to be
setup by the user. This will present the user with a list of workstations in
that c class that have the application running in host mode.

Side note:
The program might have been setup in stealth mode and to start the program
in host mode when the workstation is booted.

To remove stealth mode:
using regedit:
\HKEY_LOCAL_MACHINE\Software\Symantic\pcANYWHERE\CurrentVersion\host\
Look for the DWORD 'ServiceStealthMode'
To turn stealth mode off, change the value from '1' to '0'

Steve Ellermann
Resource Strategies - The Intelligent Use of Technology
http://www.rstrat.com
Previous By Date Next
Previous By Thread Next

Current thread: