Security Incidents mailing list archives
Re: Two scans (Klogin and a trojan?)
From: Dan_Schrader () TRENDMICRO COM (Dan Schrader)
Date: Tue, 23 May 2000 14:44:42 -0700
port 27374 is used by the SubSeven trojan
-----Original Message----- From: Jose Nazario [SMTP:jose () BIOCSERVER BIOC CWRU EDU] Sent: Sunday, May 21, 2000 10:13 AM To: INCIDENTS () SECURITYFOCUS COM Subject: Two scans (Klogin and a trojan?) Hi all, [All local hostname munged, all source IPs and names are what was recorded.] I wanted to report on two quick scans I caught this weekend. Coming back from a vacation to find some suspicious log entries sucks, but hey, life would be boring without it. The first is in regards to the recent Kerberos vulnerabilities (see the CERT advisory), someone probing for Klogin ports: May 19 05:27:16 server kernel: TCP connection rejected from 194.252.152.4, port 543 Now, this is rather worrysome: Name: ns2.keminmaa.fi Address: 194.252.152.4 It is named as nameserver (ns2) and, sure enough, responds as one. I hope it's not a rooted BIND8 server, but they'd be in good company if it is. The second appears to be a trojan scan, but I could find nothing associated with that port (any ideas?): May 20 06:04:45 server kernel: TCP connection rejected from 210.55.227.64, port 27374 Looks like a customer having fun or a compromised box: Name: pp2-64.world-net.co.nz Address: 210.55.227.64 All times are in CDT (GMT-4) with the clock running fast by about 10 minutes. See y'all around, jose nazario jose () biochemistry cwru edu PGP fingerprint: 89 B0 81 DA 5B FD 7E 00 99 C3 B2 CD 48 A0 07 80 Public key available at http://biocserver.cwru.edu/~jose/pgp-key.asc
Current thread:
- Re: Two scans (Klogin and a trojan?) Dan Schrader (May 23)