Re: Ports 12345, 5742 and 20034

[Stan.Woods () US GASES BOC COM (Woods,Stan)]

Symark's Power Builder  daemon uses that port as well.

Stan Woods
mailto:stan.woods () us gases boc com

-----Original Message-----
From: Andy David [mailto:genex69 () HOTMAIL COM]
Sent: Tuesday, January 11, 2000 12:02 AM
To: INCIDENTS () SECURITYFOCUS COM
Subject: Re: Ports 12345, 5742 and 20034

12345 is a Netbus scan.

5742 is a scan for WinCrash.

and finally.....

20034 is a NetBus 2 Pro scan....

Hope this helps...

Andrew David
genex () k--rad com

> From: Artur Nowak <Artur.Nowak-incidents () WODIP OPOLE PL>
> Reply-To: Artur Nowak <Artur.Nowak-incidents () WODIP OPOLE PL>
> To: INCIDENTS () SECURITYFOCUS COM
> Subject: Ports 12345, 5742 and 20034
> Date: Sat, 8 Jan 2000 22:58:53 +0100
> MIME-Version: 1.0
> Received: from [207.126.127.68] by hotmail.com (3.2) with ESMTP id
> MHotMailBA43F7820087D82197AECF7E7F44A8E60; Mon Jan 10 20:07:31 2000
> Received: from lists.securityfocus.com (lists.securityfocus.com
> [207.126.127.68])by lists.securityfocus.com (Postfix) with ESMTPid
> 933121F01D; Mon, 10 Jan 2000 20:00:25 -0800 (PST)
> Received: from LISTS.SECURITYFOCUS.COM by LISTS.SECURITYFOCUS.COM
> (LISTSERV-TCP/IP release 1.8d) with spool id 2190807 for
> INCIDENTS () LISTS SECURITYFOCUS COM; Mon, 10 Jan 2000 20:00:20 -0800
> Received: from securityfocus.com (securityfocus.com [207.126.127.66]) by
>       lists.securityfocus.com (Postfix) with SMTP id 9D10A1EE97 for
>   <incidents () lists securityfocus com>; Sun,  9 Jan 2000 04:20:14 -0800
>      (PST)
> Received: (qmail 7453 invoked by alias); 9 Jan 2000 12:20:14 -0000
> Received: (qmail 7450 invoked from network); 9 Jan 2000 12:20:13 -0000
> Received: from piast.wodip.opole.pl (HELO wodip.opole.pl) (212.244.78.65)
> by          securityfocus.com with SMTP; 9 Jan 2000 12:20:13 -0000
> Received: (qmail 29077 invoked from network); 8 Jan 2000 22:53:16 -0000
> Received: from pc2.dialin.wodip.opole.pl (HELO anowak.priv.pl)
> (192.168.250.2)          by piast.wodip.opole.pl with SMTP; 8 Jan 2000
> 22:53:16 -0000
> Received: (qmail 1992 invoked by uid 500); 8 Jan 2000 21:58:53 -0000
> From owner-incidents () SECURITYFOCUS COM Mon Jan 10 20:11:49 2000
> Approved-By: aleph1 () SECURITYFOCUS COM
> Delivered-To: incidents () lists securityfocus com
> Delivered-To: INCIDENTS () SECURITYFOCUS COM
> Message-ID:
> <Pine.LNX.4.21.0001082254210.1978-100000 () firewall anowak priv pl>
> Sender: Incidents Mailing List <INCIDENTS () SECURITYFOCUS COM>
> X-To:         INCIDENTS () SECURITYFOCUS COM
>
> Hi for all!
>
> Today I saw many probes of connections to three ports. I know that on
> the port 12345 usually is a trojan, but what someone try to find on the
> other ports?
>
> Thanks for any help.
>
> Jan  8 10:44:02 TCP: port 12345 connection attempt from
> mb-u03ip006.mbnet.fi:4602
> Jan  8 10:44:02 TCP: port 5742 connection attempt from
> mb-u03ip006.mbnet.fi:4605
> Jan  8 10:44:02 last message repeated 3 times
> Jan  8 10:44:04 TCP: port 12345 connection attempt from
> mb-u03ip006.mbnet.fi:4602
> Jan  8 10:44:05 TCP: socks connection attempt from
> mb-u03ip006.mbnet.fi:4603
> Jan  8 10:44:05 TCP: port 5742 connection attempt from
> mb-u03ip006.mbnet.fi:4605
> Jan  8 10:44:05 TCP: port 20034 connection attempt from
> mb-u03ip006.mbnet.fi:4604
> Jan  8 10:44:08 TCP: port 12345 connection attempt from
> mb-u03ip006.mbnet.fi:4602
> Jan  8 10:44:08 TCP: port 5742 connection attempt from
> mb-u03ip006.mbnet.fi:4605
> Jan  8 10:44:08 TCP: port 20034 connection attempt from
> mb-u03ip006.mbnet.fi:4604
> Jan  8 10:44:11 TCP: port 12345 connection attempt from
> mb-u03ip006.mbnet.fi:4602
> Jan  8 10:44:11 TCP: port 5742 connection attempt from
> mb-u03ip006.mbnet.fi:4605
> Jan  8 10:44:11 TCP: port 20034 connection attempt from
> mb-u03ip006.mbnet.fi:4604
> Jan  8 10:44:21 TCP: socks connection attempt from
> mb-u03ip006.mbnet.fi:4603
>
> --
>  Artur Nowak       ==> mail anowak-pgp () wodip opole pl for PGP pub_key
>   e-mail : anowak () wodip opole pl       || anowak () polo po opole pl
>   www    : www.wodip.opole.pl/~anowak/ || polo.po.opole.pl/~anowak/
>  PGP: 0x7BCE3064 | CF14 7AF4 2A1B 485E B0B5 1261 F7A1 26D5 7BCE 3064

______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
*********************************************************************
This footnote confirms that this e-mail message has been scanned for
the presence of known computer viruses by the Star Labs virus
scanning service. However, it is still recommended that you use
local virus scanning software to monitor for the presence of viruses.
*********************************************************************