Security Incidents mailing list archives
Re: correlation between porscans and local activity
From: johnson.bob () KOLUMBUS FI (Bob Johnson)
Date: Tue, 4 Jan 2000 00:14:30 +0200
ref the original message, ppl scanning port 1080 are looking for wingates/socks proxies so it is 99% sure this is what it was - whether it was an irc server checking u or someone hunting for a proxy to use is not possible to tell without more info (like ip, etc.). port 31337 is also a common trojan port (don't have to be BO - could be any of them that allow configurable ports. also note: 31337 is also what hackers (and hacker wannabe's) use for "elite" (eleet) and therefore a popular number to use, mostly among the wannabe's, but then i guess most of u know this already... enjoy ur surfing and keep an eye on yer netstats, ppl. -----Original Message----- From: R a v e N <barakirs () netvision net il> To: INCIDENTS () SECURITYFOCUS COM <INCIDENTS () SECURITYFOCUS COM> Date: 03 January 2000 23:58 Subject: Re: correlation between porscans and local activity
Both ports are Windows remote administration trojan ports, I think. Could either be a script kiddie scanning everyone on his contact list that goes online (maybe with some ICQ plugins. I've seen some "click-and-winnuke" ICQ plugins once, so I guess there are RAT ports scanners for ICQ as well. Next thing there's gonna be an integrated message spoofer and other such features like in LIcq). It could also be another script kiddie scanning whole subnets for RAT ports. If not (I'm completely sure that the second is a RAT port, but I don't know about the first), it could just be an IRC server scanning someone from your family for a wingate or SOCKS firewall on their box that can be used for bouncing (most IRC servers do this whenever someone initiates an IRC session with them in order to fight wingaters and suchlikes). Try downloading blacksun.box.sk/nemesis-latest.zip. It scans for RAT ports on your local machine and on your friends' machines or on your own network and searches for RATs. It is possible that the "attacker(s)" is/are misusing it or a similar program... -- If a packet hits a pocket on a socket on a port And the bus is interrupted as a very last resort And the address of the memory makes the data link abort Then the socket packet pocket has an error to report. http://blacksun.box.sk Thomas Molina wrote:This weekend I've started noticing a possible loose correlation between portscans on my Linux boxes and local activity. It is connected to the internet through a cable modem. It also provides masqueraded internet connectivity for a couple of Win 98 boxes. The Windows boxes mainly are used by the family for web browsing, icq, and aol instant messaging. There now appears to be some coincidence between the times my family does web browsing and when I get scanned for port 1080. I also got some scans for port 31337 (back orifice?) following an icq session by my son. Is this just a wild guess on my part or am I just now noticing something blindingly obvious to everyone else? Time to learn more about NAT and iptables so I can confirm this wild theory.
Current thread:
- Re: correlation between porscans and local activity Bob Johnson (Jan 03)