Re: PC Anywhere client seems to probe class C of connected networks

[bugtraq () NETWORKICE COM (Robert Graham)]

This is very common. The default PCanywhere product scans its local Class C
address range. Therefore, it happens alot whenever many people share a
common Class C block.

The following URL from our company has a lot of details on this issue,
including an animation as to what the user scanning you is seeing on his/her
computer, and a couple of hints as to what that user could do to stop
his/her computer from doing so.
http://advice.networkice.com/advice/intrusions/2001507/
This is a help page from our personal intrusion detection product (BlackICE
Defender). We try to word this in a way to reduce the load on abuse@ support
desks.

A summary of this is also mentioned in my FAQ of the most common types of
incidents you'll see against your firewall may also be helpful.
http://www.robertgraham.com/pubs/firewall-seen.html#port5632

Rob.

-----Original Message-----
From: Incidents Mailing List [mailto:INCIDENTS () securityfocus com]On
Behalf Of Troy Ablan
Sent: Tuesday, January 25, 2000 2:07 PM
To: INCIDENTS () securityfocus com
Subject: PC Anywhere client seems to probe class C of connected networks

A new rash of abuse desk inquiries have to do with PC Anywhere probes on
port 5632 and ssh port 22 from clients within the same class C as the
computers reporting the probing.  This happens on our dynamic dialup pools
as well as netblocks we allocate subnets and dialup statics.

Does anyone have any experience with this software?  Is is on by default?
Can the probing be turned off altogether or on a per-interface basis?
Any abuse desks with many new reports of this over the last few weeks?

--
Troy Ablan   chaser () shore net         M-F 11p-7a
             Shore.Net     Systems Administrator
             support () shore net      781-593-3110