Re: Ports 12345, 5742 and 20034

[genex69 () HOTMAIL COM (Andy David)]

12345 is a Netbus scan.

5742 is a scan for WinCrash.

and finally.....

20034 is a NetBus 2 Pro scan....

Hope this helps...

Andrew David
genex () k--rad com

> From: Artur Nowak <Artur.Nowak-incidents () WODIP OPOLE PL>
> Reply-To: Artur Nowak <Artur.Nowak-incidents () WODIP OPOLE PL>
> To: INCIDENTS () SECURITYFOCUS COM
> Subject: Ports 12345, 5742 and 20034
> Date: Sat, 8 Jan 2000 22:58:53 +0100
> MIME-Version: 1.0
> Received: from [207.126.127.68] by hotmail.com (3.2) with ESMTP id
> MHotMailBA43F7820087D82197AECF7E7F44A8E60; Mon Jan 10 20:07:31 2000
> Received: from lists.securityfocus.com (lists.securityfocus.com
> [207.126.127.68])by lists.securityfocus.com (Postfix) with ESMTPid
> 933121F01D; Mon, 10 Jan 2000 20:00:25 -0800 (PST)
> Received: from LISTS.SECURITYFOCUS.COM by LISTS.SECURITYFOCUS.COM
> (LISTSERV-TCP/IP release 1.8d) with spool id 2190807 for
> INCIDENTS () LISTS SECURITYFOCUS COM; Mon, 10 Jan 2000 20:00:20 -0800
> Received: from securityfocus.com (securityfocus.com [207.126.127.66]) by
>       lists.securityfocus.com (Postfix) with SMTP id 9D10A1EE97 for
>   <incidents () lists securityfocus com>; Sun,  9 Jan 2000 04:20:14 -0800
>      (PST)
> Received: (qmail 7453 invoked by alias); 9 Jan 2000 12:20:14 -0000
> Received: (qmail 7450 invoked from network); 9 Jan 2000 12:20:13 -0000
> Received: from piast.wodip.opole.pl (HELO wodip.opole.pl) (212.244.78.65)
> by          securityfocus.com with SMTP; 9 Jan 2000 12:20:13 -0000
> Received: (qmail 29077 invoked from network); 8 Jan 2000 22:53:16 -0000
> Received: from pc2.dialin.wodip.opole.pl (HELO anowak.priv.pl)
> (192.168.250.2)          by piast.wodip.opole.pl with SMTP; 8 Jan 2000
> 22:53:16 -0000
> Received: (qmail 1992 invoked by uid 500); 8 Jan 2000 21:58:53 -0000
> From owner-incidents () SECURITYFOCUS COM Mon Jan 10 20:11:49 2000
> Approved-By: aleph1 () SECURITYFOCUS COM
> Delivered-To: incidents () lists securityfocus com
> Delivered-To: INCIDENTS () SECURITYFOCUS COM
> Message-ID:
> <Pine.LNX.4.21.0001082254210.1978-100000 () firewall anowak priv pl>
> Sender: Incidents Mailing List <INCIDENTS () SECURITYFOCUS COM>
> X-To:         INCIDENTS () SECURITYFOCUS COM
>
> Hi for all!
>
> Today I saw many probes of connections to three ports. I know that on
> the port 12345 usually is a trojan, but what someone try to find on the
> other ports?
>
> Thanks for any help.
>
> Jan  8 10:44:02 TCP: port 12345 connection attempt from
> mb-u03ip006.mbnet.fi:4602
> Jan  8 10:44:02 TCP: port 5742 connection attempt from
> mb-u03ip006.mbnet.fi:4605
> Jan  8 10:44:02 last message repeated 3 times
> Jan  8 10:44:04 TCP: port 12345 connection attempt from
> mb-u03ip006.mbnet.fi:4602
> Jan  8 10:44:05 TCP: socks connection attempt from
> mb-u03ip006.mbnet.fi:4603
> Jan  8 10:44:05 TCP: port 5742 connection attempt from
> mb-u03ip006.mbnet.fi:4605
> Jan  8 10:44:05 TCP: port 20034 connection attempt from
> mb-u03ip006.mbnet.fi:4604
> Jan  8 10:44:08 TCP: port 12345 connection attempt from
> mb-u03ip006.mbnet.fi:4602
> Jan  8 10:44:08 TCP: port 5742 connection attempt from
> mb-u03ip006.mbnet.fi:4605
> Jan  8 10:44:08 TCP: port 20034 connection attempt from
> mb-u03ip006.mbnet.fi:4604
> Jan  8 10:44:11 TCP: port 12345 connection attempt from
> mb-u03ip006.mbnet.fi:4602
> Jan  8 10:44:11 TCP: port 5742 connection attempt from
> mb-u03ip006.mbnet.fi:4605
> Jan  8 10:44:11 TCP: port 20034 connection attempt from
> mb-u03ip006.mbnet.fi:4604
> Jan  8 10:44:21 TCP: socks connection attempt from
> mb-u03ip006.mbnet.fi:4603
>
> --
>  Artur Nowak       ==> mail anowak-pgp () wodip opole pl for PGP pub_key
>   e-mail : anowak () wodip opole pl       || anowak () polo po opole pl
>   www    : www.wodip.opole.pl/~anowak/ || polo.po.opole.pl/~anowak/
>  PGP: 0x7BCE3064 | CF14 7AF4 2A1B 485E B0B5 1261 F7A1 26D5 7BCE 3064

______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com